Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c71488e58b
Branches Tags
dolibarr
/
htdocs
/
core
/
lib
/
security.lib.php

security.lib.php 23 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570 
  1. <?php
    2. 

  2. /* Copyright (C) 2008-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
    3. 

  3.  * Copyright (C) 2008-2017 Regis Houssin        <regis.houssin@capnetworks.com>
    4. 

  4.  *
    5. 

  5.  * This program is free software; you can redistribute it and/or modify
    6. 

  6.  * it under the terms of the GNU General Public License as published by
    7. 

  7.  * the Free Software Foundation; either version 3 of the License, or
    8. 

  8.  * (at your option) any later version.
    9. 

  9.  *
    10. 

  10.  * This program is distributed in the hope that it will be useful,
    11. 

  11.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13. 

  13.  * GNU General Public License for more details.
    14. 

  14.  *
    15. 

  15.  * You should have received a copy of the GNU General Public License
    16. 

  16.  * along with this program. If not, see <http://www.gnu.org/licenses/>.
    17. 

  17.  * or see http://www.gnu.org/
    18. 

  18.  */
    19. 

  19. 

  20. /**
    21. 

  21.  *  \file		htdocs/core/lib/security.lib.php
    22. 

  22.  *  \ingroup    core
    23. 

  23.  *  \brief		Set of function used for dolibarr security (common function included into filefunc.inc.php)
    24. 

  24.  *  			Warning, this file must not depends on other library files, except function.lib.php
    25. 

  25.  *  			because it is used at low code level.
    26. 

  26.  */
    27. 

  27. 

  28. 

  29. /**
    30. 

  30.  *	Encode a string with base 64 algorithm + specific change
    31. 

  31.  *	Code of this function is useless and we should use base64_encode only instead
    32. 

  32.  *
    33. 

  33.  *	@param   string		$chain		string to encode
    34. 

  34.  *	@return  string					encoded string
    35. 

  35.  */
    36. 

  36. function dol_encode($chain)
    37. 

  37. {
    38. 

  38.     $strlength=dol_strlen($chain);
    39. 

  39. 	for ($i=0; $i < $strlength; $i++)
    40. 

  40. 	{
    41. 

  41. 		$output_tab[$i] = chr(ord(substr($chain,$i,1))+17);
    42. 

  42. 	}
    43. 

  43. 

  44. 	$string_coded = base64_encode(implode("",$output_tab));
    45. 

  45. 	return $string_coded;
    46. 

  46. }
    47. 

  47. 

  48. /**
    49. 

  49.  *	Decode a base 64 encoded + specific string.
    50. 

  50.  *  This function is called by filefunc.inc.php at each page call.
    51. 

  51.  *	Code of this function is useless and we should use base64_decode only instead
    52. 

  52.  *
    53. 

  53.  *	@param   string		$chain		string to decode
    54. 

  54.  *	@return  string					decoded string
    55. 

  55.  */
    56. 

  56. function dol_decode($chain)
    57. 

  57. {
    58. 

  58. 	$chain = base64_decode($chain);
    59. 

  59. 

  60. 	$strlength=dol_strlen($chain);
    61. 

  61. 	for($i=0; $i < $strlength;$i++)
    62. 

  62. 	{
    63. 

  63. 		$output_tab[$i] = chr(ord(substr($chain,$i,1))-17);
    64. 

  64. 	}
    65. 

  65. 

  66. 	$string_decoded = implode("",$output_tab);
    67. 

  67. 	return $string_decoded;
    68. 

  68. }
    69. 

  69. 

  70. 

  71. /**
    72. 

  72.  * 	Returns a hash of a string.
    73. 

  73.  *  If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.
    74. 

  74.  *  If constant MAIN_SECURITY_SALT is defined, we use it as a salt.
    75. 

  75.  *
    76. 

  76.  * 	@param 		string		$chain		String to hash
    77. 

  77.  * 	@param		int			$type		Type of hash (0:auto, 1:sha1, 2:sha1+md5, 3:md5, 4:md5 for OpenLdap). Use 3 here, if hash is not needed for security purpose, for security need, prefer 0.
    78. 

  78.  * 	@return		string					Hash of string
    79. 

  79.  */
    80. 

  80. function dol_hash($chain,$type=0)
    81. 

  81. {
    82. 

  82. 	global $conf;
    83. 

  83. 

  84. 	// Salt value
    85. 

  85. 	if (! empty($conf->global->MAIN_SECURITY_SALT)) $chain=$conf->global->MAIN_SECURITY_SALT.$chain;
    86. 

  86. 

  87. 	if ($type == 1) return sha1($chain);
    88. 

  88. 	else if ($type == 2) return sha1(md5($chain));
    89. 

  89. 	else if ($type == 3) return md5($chain);
    90. 

  90. 	else if ($type == 4) return '{md5}'.base64_encode(mhash(MHASH_MD5,$chain)); // For OpenLdap with md5
    91. 

  91. 	else if (! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1') return sha1($chain);
    92. 

  92. 	else if (! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1md5') return sha1(md5($chain));
    93. 

  93. 

  94. 	// No particular enconding defined, use default
    95. 

  95. 	return md5($chain);
    96. 

  96. }
    97. 

  97. 

  98. 

  99. /**
    100. 

  100.  *	Check permissions of a user to show a page and an object. Check read permission.
    101. 

  101.  * 	If GETPOST('action','aZ09') defined, we also check write and delete permission.
    102. 

  102.  *
    103. 

  103.  *	@param	User	$user      	  	User to check
    104. 

  104.  *	@param  string	$features	    Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
    105. 

  105.  *	@param  int		$objectid      	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
    106. 

  106.  *	@param  string	$tableandshare  'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
    107. 

  107.  *	@param  string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
    108. 

  108.  *  @param  string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
    109. 

  109.  *  @param  string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
    110. 

  110.  *  @param	Canvas	$objcanvas		Object canvas
    111. 

  111.  * 	@return	int						Always 1, die process if not allowed
    112. 

  112.  *  @see dol_check_secure_access_document
    113. 

  113.  */
    114. 

  114. function restrictedArea($user, $features, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid', $objcanvas=null)
    115. 

  115. {
    116. 

  116.     global $db, $conf;
    117. 

  117. 

  118.     //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
    119. 

  119.     //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
    120. 

  120.     //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
    121. 

  121.     //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
    122. 

  122. 

  123.     // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
    124. 

  124.     if (is_object($objcanvas))
    125. 

  125.     {
    126. 

  126.         if (method_exists($objcanvas->control,'restrictedArea')) return $objcanvas->control->restrictedArea($user,$features,$objectid,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
    127. 

  127.     }
    128. 

  128. 

  129.     if ($dbt_select != 'rowid' && $dbt_select != 'id') $objectid = "'".$objectid."'";
    130. 

  130. 

  131.     // Features/modules to check
    132. 

  132.     $featuresarray = array($features);
    133. 

  133.     if (preg_match('/&/', $features)) $featuresarray = explode("&", $features);
    134. 

  134.     else if (preg_match('/\|/', $features)) $featuresarray = explode("|", $features);
    135. 

  135. 

  136.     // More subfeatures to check
    137. 

  137.     if (! empty($feature2)) $feature2 = explode("|", $feature2);
    138. 

  138. 

  139.     // More parameters
    140. 

  140.     $params = explode('&', $tableandshare);
    141. 

  141.     $dbtablename=(! empty($params[0]) ? $params[0] : '');
    142. 

  142.     $sharedelement=(! empty($params[1]) ? $params[1] : $dbtablename);
    143. 

  143. 

  144. 	$listofmodules=explode(',',$conf->global->MAIN_MODULES_FOR_EXTERNAL);
    145. 

  145. 

  146. 	// Check read permission from module
    147. 

  147.     $readok=1; $nbko=0;
    148. 

  148.     foreach ($featuresarray as $feature)	// first we check nb of test ko
    149. 

  149.     {
    150. 

  150.     	if (! empty($user->societe_id) && ! empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && ! in_array($feature,$listofmodules))	// If limits on modules for external users, module must be into list of modules for external users
    151. 

  151.     	{
    152. 

  152.     		$readok=0; $nbko++;
    153. 

  153.     		continue;
    154. 

  154.     	}
    155. 

  155. 

  156.         if ($feature == 'societe')
    157. 

  157.         {
    158. 

  158.             if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) { $readok=0; $nbko++; }
    159. 

  159.         }
    160. 

  160.         else if ($feature == 'contact')
    161. 

  161.         {
    162. 

  162.             if (! $user->rights->societe->contact->lire) { $readok=0; $nbko++; }
    163. 

  163.         }
    164. 

  164.         else if ($feature == 'produit|service')
    165. 

  165.         {
    166. 

  166.             if (! $user->rights->produit->lire && ! $user->rights->service->lire) { $readok=0; $nbko++; }
    167. 

  167.         }
    168. 

  168.         else if ($feature == 'prelevement')
    169. 

  169.         {
    170. 

  170.             if (! $user->rights->prelevement->bons->lire) { $readok=0; $nbko++; }
    171. 

  171.         }
    172. 

  172.         else if ($feature == 'cheque')
    173. 

  173.         {
    174. 

  174.             if (! $user->rights->banque->cheque) { $readok=0; $nbko++; }
    175. 

  175.         }
    176. 

  176.         else if ($feature == 'projet')
    177. 

  177.         {
    178. 

  178.             if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) { $readok=0; $nbko++; }
    179. 

  179.         }
    180. 

  180.         else if (! empty($feature2))	// This should be used for future changes
    181. 

  181.         {
    182. 

  182.         	$tmpreadok=1;
    183. 

  183.         	foreach($feature2 as $subfeature)
    184. 

  184.         	{
    185. 

  185.         		if (! empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) { $tmpreadok=0; }
    186. 

  186.         		else if (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) { $tmpreadok=0; }
    187. 

  187.         		else { $tmpreadok=1; break; } // Break is to bypass second test if the first is ok
    188. 

  188.         	}
    189. 

  189.         	if (! $tmpreadok)	// We found a test on feature that is ko
    190. 

  190.         	{
    191. 

  191.         		$readok=0;	// All tests are ko (we manage here the and, the or will be managed later using $nbko).
    192. 

  192.         		$nbko++;
    193. 

  193.         	}
    194. 

  194.         }
    195. 

  195.         else if (! empty($feature) && ($feature!='user' && $feature!='usergroup'))		// This is for old permissions
    196. 

  196.         {
    197. 

  197.             if (empty($user->rights->$feature->lire)
    198. 

  198.             && empty($user->rights->$feature->read)
    199. 

  199.             && empty($user->rights->$feature->run)) { $readok=0; $nbko++; }
    200. 

  200.         }
    201. 

  201.     }
    202. 

  202. 

  203.     // If a or and at least one ok
    204. 

  204.     if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $readok=1;
    205. 

  205. 

  206.     if (! $readok) accessforbidden();
    207. 

  207.     //print "Read access is ok";
    208. 

  208. 

  209.     // Check write permission from module
    210. 

  210.     $createok=1; $nbko=0;
    211. 

  211.     if (GETPOST('action','aZ09')  == 'create')
    212. 

  212.     {
    213. 

  213.         foreach ($featuresarray as $feature)
    214. 

  214.         {
    215. 

  215.             if ($feature == 'contact')
    216. 

  216.             {
    217. 

  217.                 if (! $user->rights->societe->contact->creer) { $createok=0; $nbko++; }
    218. 

  218.             }
    219. 

  219.             else if ($feature == 'produit|service')
    220. 

  220.             {
    221. 

  221.                 if (! $user->rights->produit->creer && ! $user->rights->service->creer) { $createok=0; $nbko++; }
    222. 

  222.             }
    223. 

  223.             else if ($feature == 'prelevement')
    224. 

  224.             {
    225. 

  225.                 if (! $user->rights->prelevement->bons->creer) { $createok=0; $nbko++; }
    226. 

  226.             }
    227. 

  227.             else if ($feature == 'commande_fournisseur')
    228. 

  228.             {
    229. 

  229.                 if (! $user->rights->fournisseur->commande->creer) { $createok=0; $nbko++; }
    230. 

  230.             }
    231. 

  231.             else if ($feature == 'banque')
    232. 

  232.             {
    233. 

  233.                 if (! $user->rights->banque->modifier) { $createok=0; $nbko++; }
    234. 

  234.             }
    235. 

  235.             else if ($feature == 'cheque')
    236. 

  236.             {
    237. 

  237.                 if (! $user->rights->banque->cheque) { $createok=0; $nbko++; }
    238. 

  238.             }
    239. 

  239.             else if (! empty($feature2))	// This should be used
    240. 

  240.             {
    241. 

  241.             	foreach($feature2 as $subfeature)
    242. 

  242.             	{
    243. 

  243.             		if (empty($user->rights->$feature->$subfeature->creer)
    244. 

  244.             		&& empty($user->rights->$feature->$subfeature->write)
    245. 

  245.             		&& empty($user->rights->$feature->$subfeature->create)) { $createok=0; $nbko++; }
    246. 

  246.             		else { $createok=1; break; } // Break to bypass second test if the first is ok
    247. 

  247.             	}
    248. 

  248.             }
    249. 

  249.             else if (! empty($feature))		// This is for old permissions ('creer' or 'write')
    250. 

  250.             {
    251. 

  251.                 //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
    252. 

  252.                 if (empty($user->rights->$feature->creer)
    253. 

  253.                 && empty($user->rights->$feature->write)) { $createok=0; $nbko++; }
    254. 

  254.             }
    255. 

  255.         }
    256. 

  256. 

  257. 	    // If a or and at least one ok
    258. 

  258. 	    if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $createok=1;
    259. 

  259. 

  260.         if (! $createok) accessforbidden();
    261. 

  261.         //print "Write access is ok";
    262. 

  262.     }
    263. 

  263. 

  264.     // Check create user permission
    265. 

  265.     $createuserok=1;
    266. 

  266.     if (GETPOST('action','aZ09') == 'confirm_create_user' && GETPOST("confirm") == 'yes')
    267. 

  267.     {
    268. 

  268.         if (! $user->rights->user->user->creer) $createuserok=0;
    269. 

  269. 

  270.         if (! $createuserok) accessforbidden();
    271. 

  271.         //print "Create user access is ok";
    272. 

  272.     }
    273. 

  273. 

  274.     // Check delete permission from module
    275. 

  275.     $deleteok=1; $nbko=0;
    276. 

  276.     if ((GETPOST('action','aZ09')  == 'confirm_delete' && GETPOST("confirm") == 'yes') || GETPOST('action','aZ09')  == 'delete')
    277. 

  277.     {
    278. 

  278.         foreach ($featuresarray as $feature)
    279. 

  279.         {
    280. 

  280.             if ($feature == 'contact')
    281. 

  281.             {
    282. 

  282.                 if (! $user->rights->societe->contact->supprimer) $deleteok=0;
    283. 

  283.             }
    284. 

  284.             else if ($feature == 'produit|service')
    285. 

  285.             {
    286. 

  286.                 if (! $user->rights->produit->supprimer && ! $user->rights->service->supprimer) $deleteok=0;
    287. 

  287.             }
    288. 

  288.             else if ($feature == 'commande_fournisseur')
    289. 

  289.             {
    290. 

  290.                 if (! $user->rights->fournisseur->commande->supprimer) $deleteok=0;
    291. 

  291.             }
    292. 

  292.             else if ($feature == 'banque')
    293. 

  293.             {
    294. 

  294.                 if (! $user->rights->banque->modifier) $deleteok=0;
    295. 

  295.             }
    296. 

  296.             else if ($feature == 'cheque')
    297. 

  297.             {
    298. 

  298.                 if (! $user->rights->banque->cheque) $deleteok=0;
    299. 

  299.             }
    300. 

  300.             else if ($feature == 'ecm')
    301. 

  301.             {
    302. 

  302.                 if (! $user->rights->ecm->upload) $deleteok=0;
    303. 

  303.             }
    304. 

  304.             else if ($feature == 'ftp')
    305. 

  305.             {
    306. 

  306.                 if (! $user->rights->ftp->write) $deleteok=0;
    307. 

  307.             }
    308. 

  308.             else if (! empty($feature2))	// This should be used for future changes
    309. 

  309.             {
    310. 

  310.             	foreach($feature2 as $subfeature)
    311. 

  311.             	{
    312. 

  312.             		if (empty($user->rights->$feature->$subfeature->supprimer) && empty($user->rights->$feature->$subfeature->delete)) $deleteok=0;
    313. 

  313.             		else { $deleteok=1; break; } // For bypass the second test if the first is ok
    314. 

  314.             	}
    315. 

  315.             }
    316. 

  316.             else if (! empty($feature))		// This is for old permissions
    317. 

  317.             {
    318. 

  318.                 //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
    319. 

  319.                 if (empty($user->rights->$feature->supprimer)
    320. 

  320.                 && empty($user->rights->$feature->delete)
    321. 

  321.                 && empty($user->rights->$feature->run)) $deleteok=0;
    322. 

  322.             }
    323. 

  323.         }
    324. 

  324. 

  325. 	    // If a or and at least one ok
    326. 

  326. 	    if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) $deleteok=1;
    327. 

  327. 

  328.         if (! $deleteok) accessforbidden();
    329. 

  329.         //print "Delete access is ok";
    330. 

  330.     }
    331. 

  331. 

  332.     // If we have a particular object to check permissions on, we check this object
    333. 

  333.     // is linked to a company allowed to $user.
    334. 

  334.     if (! empty($objectid) && $objectid > 0)
    335. 

  335.     {
    336. 

  336.     	$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
    337. 

  337. 		return $ok ? 1 : accessforbidden();
    338. 

  338.     }
    339. 

  339. 

  340.     return 1;
    341. 

  341. }
    342. 

  342. 

  343. /**
    344. 

  344.  * Check access by user to object.
    345. 

  345.  * This function is also called by restrictedArea
    346. 

  346.  *
    347. 

  347.  * @param User		$user			User to check
    348. 

  348.  * @param array		$featuresarray	Features/modules to check. Example: ('user','service')
    349. 

  349.  * @param int		$objectid		Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
    350. 

  350.  * @param string	$tableandshare	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
    351. 

  351.  * @param string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
    352. 

  352.  * @param string	$dbt_keyfield	Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
    353. 

  353.  * @param string	$dbt_select		Field name for select if not rowid. Not used if objectid is null (optional)
    354. 

  354.  * @return	bool		True if user has access, False otherwise
    355. 

  355.  * @see restrictedArea
    356. 

  356.  */
    357. 

  357. function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid')
    358. 

  358. {
    359. 

  359. 	global $db, $conf;
    360. 

  360. 

  361. 	// More parameters
    362. 

  362. 	$params = explode('&', $tableandshare);
    363. 

  363. 	$dbtablename=(! empty($params[0]) ? $params[0] : '');
    364. 

  364. 	$sharedelement=(! empty($params[1]) ? $params[1] : $dbtablename);
    365. 

  365. 

  366. 	foreach ($featuresarray as $feature)
    367. 

  367. 	{
    368. 

  368. 		$sql='';
    369. 

  369. 

  370. 		// For backward compatibility
    371. 

  371. 		if ($feature == 'member') $feature='adherent';
    372. 

  372. 

  373. 		$check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company)
    374. 

  374. 		$checksoc = array('societe');	 // Test for societe object
    375. 

  375. 		$checkother = array('contact');	 // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
    376. 

  376. 		$checkproject = array('projet'); // Test for project object
    377. 

  377. 		$nocheck = array('barcode','stock','fournisseur');	// No test
    378. 

  378. 		$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
    379. 

  379. 

  380. 		// If dbtable not defined, we use same name for table than module name
    381. 

  381. 		if (empty($dbtablename)) $dbtablename = $feature;
    382. 

  382. 

  383. 		// Check permission for object with entity
    384. 

  384. 		if (in_array($feature,$check))
    385. 

  385. 		{
    386. 

  386. 			$sql = "SELECT dbt.".$dbt_select;
    387. 

  387. 			$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    388. 

  388. 			$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    389. 

  389. 			if (($feature == 'user' || $feature == 'usergroup') && ! empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && ! $user->entity)
    390. 

  390. 			{
    391. 

  391. 				$sql.= " AND dbt.entity IS NOT NULL";
    392. 

  392. 			}
    393. 

  393. 			else
    394. 

  394. 			{
    395. 

  395. 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    396. 

  396. 			}
    397. 

  397. 		}
    398. 

  398. 		else if (in_array($feature,$checksoc))	// We check feature = checksoc
    399. 

  399. 		{
    400. 

  400. 			// If external user: Check permission for external users
    401. 

  401. 			if ($user->societe_id > 0)
    402. 

  402. 			{
    403. 

  403. 				if ($user->societe_id <> $objectid) return false;
    404. 

  404. 			}
    405. 

  405. 			// If internal user: Check permission for internal users that are restricted on their objects
    406. 

  406. 			else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir))
    407. 

  407. 			{
    408. 

  408. 				$sql = "SELECT sc.fk_soc";
    409. 

  409. 				$sql.= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
    410. 

  410. 				$sql.= ", ".MAIN_DB_PREFIX."societe as s)";
    411. 

  411. 				$sql.= " WHERE sc.fk_soc = ".$objectid;
    412. 

  412. 				$sql.= " AND sc.fk_user = ".$user->id;
    413. 

  413. 				$sql.= " AND sc.fk_soc = s.rowid";
    414. 

  414. 				$sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
    415. 

  415. 			}
    416. 

  416. 			// If multicompany and internal users with all permissions, check user is in correct entity
    417. 

  417. 			else if (! empty($conf->multicompany->enabled))
    418. 

  418. 			{
    419. 

  419. 				$sql = "SELECT s.rowid";
    420. 

  420. 				$sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
    421. 

  421. 				$sql.= " WHERE s.rowid = ".$objectid;
    422. 

  422. 				$sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
    423. 

  423. 			}
    424. 

  424. 		}
    425. 

  425. 		else if (in_array($feature,$checkother))	// Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
    426. 

  426. 		{
    427. 

  427. 			// If external user: Check permission for external users
    428. 

  428. 			if ($user->societe_id > 0)
    429. 

  429. 			{
    430. 

  430. 				$sql = "SELECT dbt.".$dbt_select;
    431. 

  431. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    432. 

  432. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    433. 

  433. 				$sql.= " AND dbt.fk_soc = ".$user->societe_id;
    434. 

  434. 			}
    435. 

  435. 			// If internal user: Check permission for internal users that are restricted on their objects
    436. 

  436. 			else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir))
    437. 

  437. 			{
    438. 

  438. 				$sql = "SELECT dbt.".$dbt_select;
    439. 

  439. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    440. 

  440. 				$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
    441. 

  441. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    442. 

  442. 				$sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)";	// Contact not linked to a company or to a company of user
    443. 

  443. 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    444. 

  444. 			}
    445. 

  445. 			// If multicompany and internal users with all permissions, check user is in correct entity
    446. 

  446. 			else if (! empty($conf->multicompany->enabled))
    447. 

  447. 			{
    448. 

  448. 				$sql = "SELECT dbt.".$dbt_select;
    449. 

  449. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    450. 

  450. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    451. 

  451. 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    452. 

  452. 			}
    453. 

  453. 		}
    454. 

  454. 		else if (in_array($feature,$checkproject))
    455. 

  455. 		{
    456. 

  456. 			if (! empty($conf->projet->enabled) && ! $user->rights->projet->all->lire)
    457. 

  457. 			{
    458. 

  458. 				include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
    459. 

  459. 				$projectstatic=new Project($db);
    460. 

  460. 				$tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,0);
    461. 

  461. 				$tmparray=explode(',',$tmps);
    462. 

  462. 				if (! in_array($objectid,$tmparray)) return false;
    463. 

  463. 			}
    464. 

  464. 			else
    465. 

  465. 			{
    466. 

  466. 				$sql = "SELECT dbt.".$dbt_select;
    467. 

  467. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    468. 

  468. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    469. 

  469. 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    470. 

  470. 			}
    471. 

  471. 		}
    472. 

  472. 		else if (! in_array($feature,$nocheck))	// By default we check with link to third party
    473. 

  473. 		{
    474. 

  474. 			// If external user: Check permission for external users
    475. 

  475. 			if ($user->societe_id > 0)
    476. 

  476. 			{
    477. 

  477. 				if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined');
    478. 

  478. 				$sql = "SELECT dbt.".$dbt_keyfield;
    479. 

  479. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    480. 

  480. 				$sql.= " WHERE dbt.rowid = ".$objectid;
    481. 

  481. 				$sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id;
    482. 

  482. 			}
    483. 

  483. 			// If internal user: Check permission for internal users that are restricted on their objects
    484. 

  484. 			else if (! empty($conf->societe->enabled) && ($user->rights->societe->lire && ! $user->rights->societe->client->voir))
    485. 

  485. 			{
    486. 

  486. 				if (empty($dbt_keyfield)) dol_print_error('','Param dbt_keyfield is required but not defined');
    487. 

  487. 				$sql = "SELECT sc.fk_soc";
    488. 

  488. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    489. 

  489. 				$sql.= ", ".MAIN_DB_PREFIX."societe as s";
    490. 

  490. 				$sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
    491. 

  491. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    492. 

  492. 				$sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield;
    493. 

  493. 				$sql.= " AND dbt.".$dbt_keyfield." = s.rowid";
    494. 

  494. 				$sql.= " AND s.entity IN (".getEntity($sharedelement, 1).")";
    495. 

  495. 				$sql.= " AND sc.fk_user = ".$user->id;
    496. 

  496. 			}
    497. 

  497. 			// If multicompany and internal users with all permissions, check user is in correct entity
    498. 

  498. 			else if (! empty($conf->multicompany->enabled))
    499. 

  499. 			{
    500. 

  500. 				$sql = "SELECT dbt.".$dbt_select;
    501. 

  501. 				$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    502. 

  502. 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
    503. 

  503. 				$sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    504. 

  504. 			}
    505. 

  505. 		}
    506. 

  506. 

  507. 		//print "sql=".$sql."<br>";
    508. 

  508. 		if ($sql)
    509. 

  509. 		{
    510. 

  510. 			$resql=$db->query($sql);
    511. 

  511. 			if ($resql)
    512. 

  512. 			{
    513. 

  513. 				if ($db->num_rows($resql) == 0)	return false;
    514. 

  514. 			}
    515. 

  515. 			else
    516. 

  516. 			{
    517. 

  517. 				return false;
    518. 

  518. 			}
    519. 

  519. 		}
    520. 

  520. 	}
    521. 

  521. 	return true;
    522. 

  522. }
    523. 

  523. 

  524. /**
    525. 

  525.  *	Show a message to say access is forbidden and stop program
    526. 

  526.  *	Calling this function terminate execution of PHP.
    527. 

  527.  *
    528. 

  528.  *	@param	string	$message			    Force error message
    529. 

  529.  *	@param	int		$printheader		    Show header before
    530. 

  530.  *  @param  int		$printfooter         Show footer after
    531. 

  531.  *  @param  int		$showonlymessage     Show only message parameter. Otherwise add more information.
    532. 

  532.  *  @return	void
    533. 

  533.  */
    534. 

  534. function accessforbidden($message='',$printheader=1,$printfooter=1,$showonlymessage=0)
    535. 

  535. {
    536. 

  536.     global $conf, $db, $user, $langs;
    537. 

  537.     if (! is_object($langs))
    538. 

  538.     {
    539. 

  539.         include_once DOL_DOCUMENT_ROOT.'/core/class/translate.class.php';
    540. 

  540.         $langs=new Translate('',$conf);
    541. 

  541.     }
    542. 

  542. 

  543.     $langs->load("errors");
    544. 

  544. 

  545.     if ($printheader)
    546. 

  546.     {
    547. 

  547.         if (function_exists("llxHeader")) llxHeader('');
    548. 

  548.         else if (function_exists("llxHeaderVierge")) llxHeaderVierge('');
    549. 

  549.     }
    550. 

  550.     print '<div class="error">';
    551. 

  551.     if (! $message) print $langs->trans("ErrorForbidden");
    552. 

  552.     else print $message;
    553. 

  553.     print '</div>';
    554. 

  554.     print '<br>';
    555. 

  555.     if (empty($showonlymessage))
    556. 

  556.     {
    557. 

  557.         if ($user->login)
    558. 

  558.         {
    559. 

  559.             print $langs->trans("CurrentLogin").': <font class="error">'.$user->login.'</font><br>';
    560. 

  560.             print $langs->trans("ErrorForbidden2",$langs->trans("Home"),$langs->trans("Users"));
    561. 

  561.         }
    562. 

  562.         else
    563. 

  563.         {
    564. 

  564.             print $langs->trans("ErrorForbidden3");
    565. 

  565.         }
    566. 

  566.     }
    567. 

  567.     if ($printfooter && function_exists("llxFooter")) llxFooter();
    568. 

  568.     exit(0);
    569. 

  569. }
    570. 

  570.