Strona główna Odkrywaj Pomoc
Zaloguj się
iProspective
/
dolibarr
3
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

Clean code

Laurent Destailleur 3 lat temu
rodzic
762de973eb
commit
7c253c7e28
2 zmienionych plików z 15 dodań i 23 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 15 18
      htdocs/core/lib/security.lib.php
  2. 0 5
      htdocs/workstation/workstation_note.php

+ 15 - 18
htdocs/core/lib/security.lib.php
Wyświetl plik 

@@ -216,19 +216,19 @@ function dolGetLdapPasswordHash($password, $type = 'md5')
 
  * 	If GETPOST('action','aZ09') defined, we also check write and delete permission.
 
  *  This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).
 
  *
 
- *	@param	User	$user      	  	User to check
 
- *	@param  string	$features	    Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
 
- *									Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
 
- *									This is used to check permission $user->rights->features->...
 
- *	@param  int		$objectid      	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
 
- *	@param  string	$tableandshare  'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
 
- *	@param  string	$feature2		Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
 
- *									This is used to check permission $user->rights->features->feature2...
 
- *  @param  string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
 
- *  @param  string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
 
- *  @param	int		$isdraft		1=The object with id=$objectid is a draft
 
- *  @param	int		$mode			Mode (0=default, 1=return with not die)
 
- * 	@return	int						If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
 
+ *	@param	User		$user      	  	User to check
 
+ *	@param  string		$features	    Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
 
+ *										Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
 
+ *										This is used to check permission $user->rights->features->...
 
+ *	@param  int			$objectid      	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
 
+ *	@param  string		$tableandshare  'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
 
+ *	@param  string		$feature2		Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
 
+ *										This is used to check permission $user->rights->features->feature2...
 
+ *  @param  string		$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
 
+ *  @param  string		$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
 
+ *  @param	int			$isdraft		1=The object with id=$objectid is a draft
 
+ *  @param	int			$mode			Mode (0=default, 1=return with not die)
 
+ * 	@return	int							If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
 
  *  @see dol_check_secure_access_document(), checkUserAccessToObject()
 
  */
 
 function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
 
@@ -236,6 +236,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 
 	global $db, $conf;
 
 	global $hookmanager;
 
 
+	$objectid = ((int) $objectid);	// For the case value is coming from a non sanitized user input
 
+
 
 	//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
 
 	//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
 
 	//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
 
@@ -270,7 +272,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 
 		$features = 'produit';
 
 	}
 
 
-
 
 	// Get more permissions checks from hooks
 
 	$parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft);
 
 	$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
 
@@ -288,10 +289,6 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f
 
 		return 1;
 
 	}
 
 
-	if ($dbt_select != 'rowid' && $dbt_select != 'id') {
 
-		$objectid = "'".$db->escape($objectid)."'";
 
-	}
 
-
 
 	// Features/modules to check
 
 	$featuresarray = array($features);
 
 	if (preg_match('/&/', $features)) {

+ 0 - 5
htdocs/workstation/workstation_note.php
Wyświetl plik 

@@ -46,11 +46,6 @@ $hookmanager->initHooks(array('workstationnote', 'globalcard')); // Note that co
 
 // Fetch optionals attributes and labels
 
 $extrafields->fetch_name_optionals_label($object->table_element);
 
 
-// Security check - Protection if external user
 
-//if ($user->socid > 0) accessforbidden();
 
-//if ($user->socid > 0) $socid = $user->socid;
 
-//$result = restrictedArea($user, 'workstation', $id);
 
-
 
 // Load object
 
 include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once  // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
 
 if ($id > 0 || !empty($ref)) {