Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix missing security check on payment

Laurent Destailleur 2 years ago
parent
6580aa056a
commit
e67c37f3ba
2 changed files with 13 additions and 4 deletions
Split View Show Diff Stats
  1. 4 4
      htdocs/compta/payment_sc/card.php
  2. 9 0
      htdocs/core/lib/security.lib.php

+ 4 - 4
htdocs/compta/payment_sc/card.php
View File 

@@ -46,8 +46,6 @@ $confirm = GETPOST('confirm', 'aZ09');
 
 if ($user->socid) {
 
 	$socid = $user->socid;
 
 }
 
-// TODO ajouter regle pour restreindre acces paiement
 
-//$result = restrictedArea($user, 'facture', $id,'');
 
 
 $object = new PaymentSocialContribution($db);
 
 if ($id > 0) {
 
@@ -57,6 +55,8 @@ if ($id > 0) {
 
 	}
 
 }
 
 
+$result = restrictedArea($user, 'payment_sc', $id, '');
 
+
 
 
 /*
 
  * Actions
 
@@ -77,7 +77,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes' && $user->hasRight('tax', '
 
 	}
 
 }
 
 
-if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'charges', 'creer')) {
 
+/*if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'charges', 'creer')) {
 
 	$datepaye = dol_mktime(GETPOST('datephour', 'int'), GETPOST('datepmin', 'int'), GETPOST('datepsec', 'int'), GETPOST('datepmonth', 'int'), GETPOST('datepday', 'int'), GETPOST('datepyear', 'int'));
 
 	$res = $object->update_date($datepaye);
 
 	if ($res === 0) {
 
@@ -85,7 +85,7 @@ if ($action == 'setdatep' && GETPOST('datepday') && $user->hasRight('tax', 'char
 
 	} else {
 
 		setEventMessages($langs->trans('PaymentDateUpdateFailed'), null, 'errors');
 
 	}
 
-}
 
+}*/
 
 
 
 /*

+ 9 - 0
htdocs/core/lib/security.lib.php
View File 

@@ -466,6 +466,11 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
 
 				$readok = 0;
 
 				$nbko++;
 
 			}
 
+		} elseif ($feature == 'payment_sc') {
 
+			if (empty($user->rights->tax->charges->lire)) {
 
+				$readok = 0;
 
+				$nbko++;
 
+			}
 
 		} elseif (!empty($feature2)) { 													// This is for permissions on 2 levels
 
 			$tmpreadok = 1;
 
 			foreach ($feature2 as $subfeature) {
 
@@ -648,6 +653,10 @@ function restrictedArea(User $user, $features, $object = 0, $tableandshare = '',
 
 				if (!$user->rights->facture->paiement) {
 
 						$deleteok = 0;
 
 				}
 
+			} elseif ($feature == 'payment_sc') {
 
+				if (!$user->rights->tax->charges->creer) {
 
+					$deleteok = 0;
 
+				}
 
 			} elseif ($feature == 'banque') {
 
 				if (empty($user->rights->banque->modifier)) {
 
 					$deleteok = 0;