New: Super clean of permissions checks

b12d53e1 · Laurent Destailleur · 00dbfcb5 · b12d53e1 · b12d53e1 · b12d53e1
Commit b12d53e1 authored Feb 25, 2008 by Laurent Destailleur
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@@ -38,12 +38,9 @@ $sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
 $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
 $page = isset($_GET["page"])?$_GET["page"]:$_POST["page"];

-// Scurit accs client
-if ($user->societe_id > 0) 
-{
-  $action = '';
-  $socid = $user->societe_id;
-}
+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);

 if ($page == -1) { $page = 0 ; }
 $limit = $conf->liste_limit;

--- a/htdocs/comm/clients.php
+++ b/htdocs/comm/clients.php
@@ -27,7 +27,8 @@
 require("./pre.inc.php");

 // Security check
-$result = restrictedArea($user, 'societe','','',1);
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);

 $page=$_GET["page"];
 $sortorder=$_GET["sortorder"];

--- a/htdocs/comm/contact.php
+++ b/htdocs/comm/contact.php
@@ -38,11 +38,11 @@ if ($page < 0) { $page = 0 ; }
 $limit = $conf->liste_limit;
 $offset = $limit * $page ;

-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
 $type=$_GET["type"];

 // Security check
-$result = restrictedArea($user, 'societe');
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);


 /*

--- a/htdocs/comm/fiche.php
+++ b/htdocs/comm/fiche.php
@@ -41,10 +41,9 @@ $langs->load("bills");
 $langs->load("contracts");
 if ($conf->fichinter->enabled) $langs->load("interventions");

-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
-
 // Security check
-$result = restrictedArea($user, 'societe', $socid);
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);

 $sortorder=$_GET["sortorder"];
 $sortfield=$_GET["sortfield"];

--- a/htdocs/comm/prospect/fiche.php
+++ b/htdocs/comm/prospect/fiche.php
@@ -35,28 +35,9 @@ $langs->load('companies');
 $langs->load('projects');
 $langs->load('propal');

-$socid = isset($_GET["id"])?$_GET["id"]:$_GET["socid"];		// Fonctionne si on passe id ou socid
-if ($socid == '') accessforbidden();
-
-// Protection quand utilisateur externe
-if ($user->societe_id > 0)
-{
-    $socid = $user->societe_id;
-}
-
-// Protection restriction commercial
-if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
-{
-        $sql = "SELECT sc.rowid";
-        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
-        $sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_soc = s.rowid AND sc.fk_user = ".$user->id." AND s.client = 2";
-
-        if ( $db->query($sql) )
-        {
-          if ( $db->num_rows() == 0) accessforbidden();
-        }
-}
-
+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);


 /*

--- a/htdocs/comm/prospect/prospects.php
+++ b/htdocs/comm/prospect/prospects.php
@@ -32,13 +32,9 @@ require_once(DOL_DOCUMENT_ROOT."/prospect.class.php");

 $langs->load("propal");

-// Scurit accs client
-$socid=0;
-if ($user->societe_id > 0) 
-{
-  $action = '';
-  $socid = $user->societe_id;
-}
+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'societe',$socid,'',1);

 $socname=isset($_GET["socname"])?$_GET["socname"]:$_POST["socname"];
 $stcomm=isset($_GET["stcomm"])?$_GET["stcomm"]:$_POST["stcomm"];

--- a/htdocs/commande/liste.php
+++ b/htdocs/commande/liste.php
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville  <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2006 Laurent Destailleur   <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2008 Laurent Destailleur   <eldy@users.sourceforge.net>
 * Copyright (C)      2005 Marc Barilley / Ocebo <marc@ocebo.com>
 * Copyright (C) 2005-2007 Regis Houssin         <regis@dolibarr.fr>
 *
@@ -17,15 +17,13 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
 */

 /**
        \file       htdocs/commande/liste.php
        \ingroup    commande
        \brief      Page liste des commandes
-        \version    $Revision$
+        \version    $Id$
 */


@@ -35,9 +33,6 @@ require_once(DOL_DOCUMENT_ROOT."/html.formfile.class.php");
 $langs->load('orders');
 $langs->load('companies');

-if (!$user->rights->commande->lire)
-	accessforbidden();
-
 $year=isset($_GET["year"])?$_GET["year"]:$_POST["year"];
 $month=isset($_GET["month"])?$_GET["month"]:$_POST["month"];
 $sref=isset($_GET['sref'])?$_GET['sref']:$_POST['sref'];
@@ -45,13 +40,9 @@ $sref_client=isset($_GET['sref_client'])?$_GET['sref_client']:(isset($_POST['sre
 $snom=isset($_GET['snom'])?$_GET['snom']:$_POST['snom'];
 $sall=isset($_GET['sall'])?$_GET['sall']:$_POST['sall'];

-// Scurit accs client
-$socid = $_GET['socid'];
-if ($user->societe_id > 0)
-{
-	$action = '';
-	$socid = $user->societe_id;
-}
+// Security check
+$orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
+$result = restrictedArea($user, 'commande', $orderid,'',1);


 /*

--- a/htdocs/compta/commande/liste.php
+++ b/htdocs/compta/commande/liste.php
@@ -42,13 +42,10 @@ if (! $sortorder) $sortorder="DESC";
 $limit = $conf->liste_limit;
 $offset = $limit * $_GET["page"] ;

-// Scurit accs client
-$socid = $_GET["socid"];
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socid = $user->societe_id;
-}
+// Security check
+$orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
+$result = restrictedArea($user, 'commande',$orderid,'',1);
+

 $langs->load('companies');


--- a/htdocs/compta/deplacement/fiche.php
+++ b/htdocs/compta/deplacement/fiche.php
 <?php
 /* Copyright (C) 2003      Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2006 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -15,21 +15,21 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
- * $Source$
 */

 /**
 	    \file       htdocs/compta/deplacement/fiche.php
 		\brief      Page fiche d'un dplacement
+		\version	$Id$
 */

 require("./pre.inc.php");

 $langs->load("trips");

+// Security check
 $id=isset($_GET["id"])?$_GET["id"]:$_POST["id"];
+$result = restrictedArea($user, 'deplacement', $id,'',1);


 $mesg = '';
@@ -38,7 +38,7 @@ $mesg = '';
 /*
 * Actions
 */
-if ($_POST["action"] == 'confirm_delete' && $_POST["confirm"] == "yes")
+if ($_POST["action"] == 'confirm_delete' && $_POST["confirm"] == "yes" && $user->rights->deplacement->supprimer)
 {
 	$deplacement = new Deplacement($db);
 	$deplacement->delete($_GET["id"]);
@@ -46,11 +46,13 @@ if ($_POST["action"] == 'confirm_delete' && $_POST["confirm"] == "yes")
 	exit;
 }

-if ($_POST["action"] == 'add' && $_POST["cancel"] <> $langs->trans("Cancel"))
+if ($_POST["action"] == 'add' && $user->rights->deplacement->creer)
+{
+	if (! $_POST["cancel"])
 	{
 	 	$deplacement = new Deplacement($db);

-	$deplacement->date = mktime(12, 1 , 1,
+		$deplacement->date = dolibarr_mktime(12, 0, 0,
 						$_POST["remonth"],
 						$_POST["reday"],
 						$_POST["reyear"]);
@@ -70,13 +72,21 @@ if ($_POST["action"] == 'add' && $_POST["cancel"] <> $langs->trans("Cancel"))
 			dolibarr_print_error($db,$deplacement->error);
 		}
 	}
+	else
+	{
+		Header ( "Location: index.php");
+		exit;
+	}
+}

-if ($_POST["action"] == 'update' && $_POST["cancel"] <> $langs->trans("Cancel"))
+if ($_POST["action"] == 'update' && $user->rights->deplacement->creer)
+{
+	if (!  $_POST["cancel"])
 	{
 		$deplacement = new Deplacement($db);
 		$result = $deplacement->fetch($_POST["id"]);
 		
-	$deplacement->date = mktime(12, 1 , 1,
+		$deplacement->date = dolibarr_mktime(12, 0 , 0,
 					$_POST["remonth"],
 					$_POST["reday"],
 					$_POST["reyear"]);
@@ -95,6 +105,12 @@ if ($_POST["action"] == 'update' && $_POST["cancel"] <> $langs->trans("Cancel"))
 			print $mesg=$langs->trans("ErrorUnknown");
 		}
 	}
+	else
+	{
+		Header ( "Location: index.php");
+		exit;
+	}
+}




--- a/htdocs/compta/deplacement/index.php
+++ b/htdocs/compta/deplacement/index.php
@@ -17,14 +17,12 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
- * $Source$
 */

 /**
 	    \file       htdocs/compta/deplacement/index.php
 		\brief      Page liste des dplacements
+		\version	$Id$
 */

 require("./pre.inc.php");
@@ -34,6 +32,9 @@ $langs->load("companies");
 $langs->load("users");
 $langs->load("trips");

+// Security check
+$result = restrictedArea($user, 'deplacement','','',1);
+

 llxHeader();


--- a/htdocs/compta/facture/impayees.php
+++ b/htdocs/compta/facture/impayees.php
@@ -32,21 +32,11 @@ require_once(DOL_DOCUMENT_ROOT."/html.formfile.class.php");
 require_once(DOL_DOCUMENT_ROOT."/facture.class.php");
 require_once(DOL_DOCUMENT_ROOT."/paiement.class.php");

-if (!$user->rights->facture->lire)
-accessforbidden();
-
 $langs->load("bills");

-
-
-if ($_GET["socid"]) { $socid=$_GET["socid"]; }
-
-// Scurit accs client
-if ($user->societe_id > 0)
-{
-	$action = '';
-	$socid = $user->societe_id;
-}
+// Security check
+$facid = isset($_GET["facid"])?$_GET["facid"]:'';
+$result = restrictedArea($user, 'facture',$facid,'',1);


 llxHeader('',$langs->trans("BillsCustomersUnpayed"));

--- a/htdocs/compta/fiche.php
+++ b/htdocs/compta/fiche.php
@@ -33,30 +33,9 @@ $langs->load("companies");
 if ($conf->facture->enabled) $langs->load("bills");
 if ($conf->projet->enabled)  $langs->load("projects");

+// Security check
 $socid = isset($_GET["socid"])?$_GET["socid"]:'';
-if ($socid == '') accessforbidden();
-
-// Protection quand utilisateur externe
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socid = $user->societe_id;
-}
-
-
-// Protection restriction commercial
-if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
-{
-	//print "eeeee".$socid."rr".$user->societe_id."oo".$user->rights->commercial->client->voir;
-	$sql = "SELECT sc.fk_soc, s.client";
-	$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."societe as s";
-	$sql .= " WHERE sc.fk_soc = ".$socid." AND sc.fk_user = ".$user->id." AND s.client = 1";
-	
-	if ( $db->query($sql) )
-	{
-		if ( $db->num_rows() == 0) accessforbidden();
-	}
-}
+$result = restrictedArea($user, 'societe',$socid,'',1);


 /*

--- a/htdocs/compta/paiement/cheque/fiche.php
+++ b/htdocs/compta/paiement/cheque/fiche.php
@@ -15,15 +15,13 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
 */

 /**
   \file       htdocs/compta/paiement/cheque/fiche.php
   \ingroup    facture
   \brief      Onglet paiement cheque
-   \version    $Revision$
+   \version    $Id$
 */

 require('./pre.inc.php');
@@ -36,6 +34,9 @@ $langs->load('bills');
 $langs->load('banks');
 $langs->load('companies');

+// Security check
+$result = restrictedArea($user, 'banque', '','',0);
+
 $mesg='';

 $sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];

--- a/htdocs/compta/paiement/cheque/index.php
+++ b/htdocs/compta/paiement/cheque/index.php
 <?php
 /* Copyright (C) 2006      Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2007 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2007-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -15,15 +15,13 @@
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * $Id$
 */
 
 /**
 		\file       htdocs/compta/paiement/cheque/index.php
 		\ingroup    compta
 		\brief      Page liste des bordereau de remise de cheque
-		\version    $Revision$
+		\version    $Id$
 */

 require("./pre.inc.php");
@@ -32,16 +30,9 @@ require_once(DOL_DOCUMENT_ROOT.'/compta/bank/account.class.php');

 $langs->load("banks");

-// Scurit accs client
-if (! $user->rights->banque)
-  accessforbidden();
+// Security check
+$result = restrictedArea($user, 'banque', '','',1);

-$socid=0;
-if ($user->societe_id > 0) 
-{
-  $action = '';
-  $socid = $user->societe_id;
-}

 $checkdepositstatic=new RemiseCheque($db);
 $accountstatic=new Account($db);

--- a/htdocs/compta/paiement/cheque/liste.php
+++ b/htdocs/compta/paiement/cheque/liste.php
@@ -30,16 +30,8 @@ require_once(DOL_DOCUMENT_ROOT.'/compta/bank/account.class.php');

 $langs->load("bills");

-// S�curit� acc�s client
-if (! $user->rights->facture->lire && ! $user->rights->adherent->cotisation->lire)
-  accessforbidden();
-
-$socid=0;
-if ($user->societe_id > 0) 
-{
-  $action = '';
-  $socid = $user->societe_id;
-}
+// Security check
+$result = restrictedArea($user, 'banque', '','',1);

 $page=$_GET["page"];
 $sortorder=$_GET["sortorder"];

--- a/htdocs/compta/paiement/liste.php
+++ b/htdocs/compta/paiement/liste.php
@@ -33,16 +33,10 @@ require_once(DOL_DOCUMENT_ROOT.'/compta/bank/account.class.php');

 $langs->load("bills");

-// Scurit accs client
-if (! $user->rights->facture->lire)
-  accessforbidden();
+// Security check
+$facid = isset($_GET["facid"])?$_GET["facid"]:'';
+$result = restrictedArea($user, 'facture',$facid,'',1);

-$socid=0;
-if ($user->societe_id > 0) 
-{
-  $action = '';
-  $socid = $user->societe_id;
-}

 $paymentstatic=new Paiement($db);
 $accountstatic=new Account($db);
@@ -50,8 +44,9 @@ $companystatic=new Societe($db);


 /*
- * Affichage
+* 	View
 */
+
 llxHeader('',$langs->trans("ListPayment"));

 $page=$_GET["page"];

--- a/htdocs/compta/prelevement/demandes.php
+++ b/htdocs/compta/prelevement/demandes.php
@@ -30,15 +30,12 @@
 require("./pre.inc.php");
 require_once DOL_DOCUMENT_ROOT."/includes/modules/modPrelevement.class.php";

-if (!$user->rights->prelevement->bons->lire)
-  accessforbidden();
-
 $langs->load("widthdrawals");

-if ($user->societe_id > 0)
-{
-  $socid = $user->societe_id;
-}
+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'prelevement','','',1);
+

 llxHeader();


--- a/htdocs/compta/prelevement/index.php
+++ b/htdocs/compta/prelevement/index.php
@@ -32,16 +32,11 @@ require_once DOL_DOCUMENT_ROOT."/includes/modules/modPrelevement.class.php";

 $langs->load("withdrawals");

+// Security check
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$result = restrictedArea($user, 'prelevement','','',1);

-if (!$user->rights->prelevement->bons->lire)
-  accessforbidden();

-// Scurit accs client
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socid = $user->societe_id;
-}


 /*

--- a/htdocs/contact/exportimport.php
+++ b/htdocs/contact/exportimport.php
@@ -32,42 +32,13 @@ require_once(DOL_DOCUMENT_ROOT."/lib/contact.lib.php");

 $langs->load("companies");

-// Protection quand utilisateur externe
+// Security check
 $contactid = isset($_GET["id"])?$_GET["id"]:'';
-
-$socid=0;
-if ($user->societe_id > 0)
-{
-    $socid = $user->societe_id;
-}
-
-// Protection restriction commercial
-if ($contactid && ! $user->rights->commercial->client->voir)
-{
-    $sql = "SELECT sc.fk_soc, sp.fk_soc";
-    $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp";
-    $sql .= " WHERE sp.rowid = ".$contactid;
-    if (! $user->rights->commercial->client->voir && ! $socid)
-    {
-    	$sql .= " AND sc.fk_soc = sp.fk_soc AND sc.fk_user = ".$user->id;
-    }
-    if ($socid) $sql .= " AND sp.fk_soc = ".$socid;
-
-    $resql=$db->query($sql);
-    if ($resql)
-    {
-    	if ($db->num_rows() == 0) accessforbidden();
-    }
-    else
-    {
-    	dolibarr_print_error($db);
-    }
-}
+$result = restrictedArea($user, 'contact',$contactid,'',1);


 /*
- *
- *
+*	View
 */

 llxHeader();

--- a/htdocs/contact/fiche.php
+++ b/htdocs/contact/fiche.php
@@ -35,36 +35,17 @@ require_once(DOL_DOCUMENT_ROOT."/lib/contact.lib.php");
 $langs->load("companies");
 $langs->load("users");

-
 $error = array();
 $socid=$_GET["socid"]?$_GET["socid"]:$_POST["socid"];

-// Protection quand utilisateur externe
+// Security check
 $contactid = isset($_GET["id"])?$_GET["id"]:'';
+$result = restrictedArea($user, 'contact', $contactid,'',0);

-if ($user->societe_id > 0)
-{
-    $socid = $user->societe_id;
-}
-
-// Protection restriction commercial
-if ($contactid && !$user->rights->commercial->client->voir)
-{
-	$sql = "SELECT sc.fk_soc, sp.fk_soc";
-	$sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp";
-	$sql .= " WHERE sp.rowid = ".$contactid;
-	if (!$user->rights->commercial->client->voir && !$user->societe_id > 0)
-	{
-		$sql .= " AND sc.fk_soc = sp.fk_soc AND sc.fk_user = ".$user->id;
-	}
-	if ($user->societe_id > 0) $sql .= " AND sp.fk_soc = ".$socid;
-
-	if ( $db->query($sql) )
-	{
-		if ( $db->num_rows() == 0) accessforbidden();
-	}
-}

+/*
+*	Actions
+*/

 // Creation utilisateur depuis contact
 if ($user->rights->user->user->creer)