function _printHeader(&$langs, &$user) { llxHeader('', $langs->trans('PaymentImport'), '', ''); if (!$user->rights->facture->paiement) { accessforbidden(); } }
static function checkVersion(&$DoliDb, $moduleName) { global $conf; if (class_exists($moduleName)) { $conf_name = 'ATM_MODULE_VERSION_' . strtoupper($moduleName); $mod = new $moduleName($DoliDb); if (!empty($mod->version)) { $version = $mod->version; if ($conf->global->{$conf_name} != $version) { $message = "Your module wasn't updated (v" . $conf->global->{$conf_name} . " != " . $version . "). Please reload it or launch the update of database script"; accessforbidden($message); } } } }
* \file htdocs/livraison/fiche.php * \ingroup livraison * \brief Fiche descriptive d'un bon de livraison=reception * \version $Id: fiche.php,v 1.114 2011/07/31 23:24:38 eldy Exp $ */ require("../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/livraison/class/livraison.class.php"); require_once(DOL_DOCUMENT_ROOT."/includes/modules/livraison/modules_livraison.php"); require_once(DOL_DOCUMENT_ROOT."/core/class/html.formfile.class.php"); require_once(DOL_DOCUMENT_ROOT."/lib/sendings.lib.php"); if ($conf->product->enabled || $conf->service->enabled) require_once(DOL_DOCUMENT_ROOT."/product/class/product.class.php"); if ($conf->expedition_bon->enabled) require_once(DOL_DOCUMENT_ROOT."/expedition/class/expedition.class.php"); if ($conf->stock->enabled) require_once(DOL_DOCUMENT_ROOT."/product/stock/class/entrepot.class.php"); if (!$user->rights->expedition->livraison->lire) accessforbidden(); $langs->load("sendings"); $langs->load("bills"); $langs->load('deliveries'); // Security check $id = isset($_GET["id"])?$_GET["id"]:''; if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'expedition',$id,'livraison','livraison'); /* * Actions */
} print '<br>'; } else { if ($id > 0 || !empty($ref)) { /* * Show object in view mode */ $result = $object->fetch($id, $ref); if ($result <= 0) { dol_print_error($db, $object->error); exit; } // fetch optionals attributes and labels $extralabels = $extrafields->fetch_name_optionals_label($object->table_element); if ($user->societe_id > 0 && $user->societe_id != $object->socid) { accessforbidden('', 0); } $result = $object->fetch_thirdparty(); $soc = new Societe($db); $result = $soc->fetch($object->socid); if ($result < 0) { dol_print_error($db); } $selleruserevenustamp = $mysoc->useRevenueStamp(); $totalpaye = $object->getSommePaiement(); $totalcreditnotes = $object->getSumCreditNotesUsed(); $totaldeposits = $object->getSumDepositsUsed(); // print "totalpaye=".$totalpaye." totalcreditnotes=".$totalcreditnotes." totaldeposts=".$totaldeposits." // selleruserrevenuestamp=".$selleruserevenustamp; // We can also use bcadd to avoid pb with floating points // For example print 239.2 - 229.3 - 9.9; does not return 0.
require_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php"); require_once(DOL_DOCUMENT_ROOT."/projet/class/task.class.php"); require_once(DOL_DOCUMENT_ROOT."/core/lib/project.lib.php"); require_once(DOL_DOCUMENT_ROOT."/core/lib/date.lib.php"); $langs->load('projects'); $langs->load('users'); $id=GETPOST('id','int'); $search_product=GETPOST('search_product'); // Security check $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; if (!$user->rights->projet->lire) accessforbidden(); $sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"]; $page = isset($_GET["page"])? $_GET["page"]:$_POST["page"]; $page = is_numeric($page) ? $page : 0; $page = $page == -1 ? 0 : $page; $mine = $_REQUEST['mode']=='mine' ? 1 : 0; /* * View */
/** * Check permissions of a user to show a page and an object. Check read permission. * If GETPOST('action') defined, we also check write and delete permission. * * @param User $user User to check * @param string $features Features to check (in most cases, it's module name. Examples: 'societe', 'contact', 'produit|service', ...) * @param int $objectid Object ID if we want to check permission on a particular record (optionnal) * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored, SharedElement is key to define where to check entity. Not used if objectid is null (optionnal) * @param string $feature2 Feature to check, second level of permission (optionnal) * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal) * @param string $dbt_select Field name for select if not rowid (optionnal) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed */ function restrictedArea($user, $features, $objectid = 0, $dbtablename = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $objcanvas = null) { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire."<br>"; // If we use canvas, we try to use function that overlod restrictarea if provided with canvas if (is_object($objcanvas)) { if (method_exists($objcanvas->control, 'restrictedArea')) { return $objcanvas->control->restrictedArea($user, $features, $objectid, $dbtablename, $feature2, $dbt_keyfield, $dbt_select); } } if ($dbt_select != 'rowid') { $objectid = "'" . $objectid . "'"; } // More features to check $features = explode("&", $features); // More parameters $params = explode('&', $dbtablename); $dbtablename = !empty($params[0]) ? $params[0] : ''; $sharedelement = !empty($params[1]) ? $params[1] : ''; // Check read permission from module // TODO Replace "feature" param into caller by first level of permission $readok = 1; foreach ($features as $feature) { if ($feature == 'societe') { if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) { $readok = 0; } } else { if ($feature == 'contact') { if (!$user->rights->societe->contact->lire) { $readok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->lire && !$user->rights->service->lire) { $readok = 0; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->lire) { $readok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->lire) { $readok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $readok = 0; } } else { if ($feature == 'projet') { if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) { $readok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->lire) && empty($user->rights->{$feature}->{$feature2}->read)) { $readok = 0; } } else { if (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) { if (empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read) && empty($user->rights->{$feature}->run)) { $readok = 0; } } } } } } } } } } } if ($user->admin) { return 1; } if (!$readok) { accessforbidden(); } //print "Read access is ok"; // Check write permission from module $createok = 1; if (GETPOST("action") == 'create') { foreach ($features as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->creer) { $createok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->creer && !$user->rights->service->creer) { $createok = 0; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->creer) { $createok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->creer) { $createok = 0; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $createok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $createok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->creer) && empty($user->rights->{$feature}->{$feature2}->write)) { $createok = 0; } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; if (empty($user->rights->{$feature}->creer) && empty($user->rights->{$feature}->write)) { $createok = 0; } } } } } } } } } } if ($user->admin) { $createok = 1; } if (!$createok) { accessforbidden(); } //print "Write access is ok"; } // Check create user permission $createuserok = 1; if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') { if (!$user->rights->user->user->creer) { $createuserok = 0; } if (!$createuserok) { accessforbidden(); } //print "Create user access is ok"; } // Check delete permission from module $deleteok = 1; if (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") == 'yes' || GETPOST("action") == 'delete') { foreach ($features as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->supprimer) { $deleteok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) { $deleteok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->supprimer) { $deleteok = 0; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $deleteok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $deleteok = 0; } } else { if ($feature == 'ecm') { if (!$user->rights->ecm->upload) { $deleteok = 0; } } else { if ($feature == 'ftp') { if (!$user->rights->ftp->write) { $deleteok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->supprimer) && empty($user->rights->{$feature}->{$feature2}->delete)) { $deleteok = 0; } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete; if (empty($user->rights->{$feature}->supprimer) && empty($user->rights->{$feature}->delete)) { $deleteok = 0; } } } } } } } } } } } //print "Delete access is ko"; if (!$deleteok) { accessforbidden(); } //print "Delete access is ok"; } // If we have a particular object to check permissions on, we check this object // is linked to a company allowed to $user. if (!empty($objectid) && $objectid > 0) { foreach ($features as $feature) { $sql = ''; $check = array('adherent', 'banque', 'user', 'usergroup', 'produit', 'service', 'produit|service', 'categorie'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet'); // Test for project object $nocheck = array('barcode', 'stock', 'fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) { $dbtablename = $feature; } // Check permission for object with entity if (in_array($feature, $check)) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " AND dbt.entity IS NOT NULL"; } else { $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (in_array($feature, $checksoc)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if ($user->societe_id != $objectid) { accessforbidden(); } } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT sc.fk_soc"; $sql .= " FROM (" . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s)"; $sql .= " WHERE sc.fk_soc = " . $objectid; $sql .= " AND sc.fk_user = "******" AND sc.fk_soc = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT s.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . "societe as s"; $sql .= " WHERE s.rowid = " . $objectid; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkother)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt.fk_soc = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '******'"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkproject)) { if (!empty($conf->projet->enabled) && !$user->rights->projet->all->lire) { include_once DOL_DOCUMENT_ROOT . "/projet/class/project.class.php"; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); $tmparray = explode(',', $tmps); if (!in_array($objectid, $tmparray)) { accessforbidden(); } } else { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (!in_array($feature, $nocheck)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt." . $dbt_keyfield; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt." . $dbt_keyfield . " = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT sc.fk_soc"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s"; $sql .= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND sc.fk_soc = dbt." . $dbt_keyfield; $sql .= " AND dbt." . $dbt_keyfield . " = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; $sql .= " AND sc.fk_user = "******"SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } } } } } //print $sql."<br>"; if ($sql) { $resql = $db->query($sql); if ($resql) { if ($db->num_rows($resql) == 0) { accessforbidden(); } } else { dol_syslog("security.lib:restrictedArea sql=" . $sql, LOG_ERR); accessforbidden(); } } } } return 1; }
require_once DOL_DOCUMENT_ROOT . '/core/lib/company.lib.php'; // Init vars $errmsg = ''; $num = 0; $error = 0; $backtopage = GETPOST('backtopage', 'alpha'); $action = GETPOST('action', 'alpha'); // Load translation files $langs->load("main"); $langs->load("members"); $langs->load("companies"); $langs->load("install"); $langs->load("other"); // Security check if (empty($conf->adherent->enabled)) { accessforbidden('', 0, 0, 1); } if (empty($conf->global->MEMBER_ENABLE_PUBLIC)) { print $langs->trans("Auto subscription form for public visitors has not been enabled"); exit; } $extrafields = new ExtraFields($db); /** * Show header for new member * * @param string $title Title * @param string $head Head array * @param int $disablejs More content into html header * @param int $disablehead More content into html header * @param array $arrayofjs Array of complementary js files * @param array $arrayofcss Array of complementary css files
*/ /** \file htdocs/commande/note.php \ingroup commande \brief Fiche de notes sur une commande \version $Id: note.php,v 1.24 2011/07/31 22:23:15 eldy Exp $ */ require("../main.inc.php"); require_once(DOL_DOCUMENT_ROOT.'/lib/order.lib.php'); require_once(DOL_DOCUMENT_ROOT ."/commande/class/commande.class.php"); $socid=isset($_GET["socid"])?$_GET["socid"]:isset($_POST["socid"])?$_POST["socid"]:""; if (!$user->rights->commande->lire) accessforbidden(); $langs->load("companies"); $langs->load("bills"); $langs->load("orders"); // Security check $socid=0; $comid = isset($_GET["id"])?$_GET["id"]:''; if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'commande',$comid,''); $id = $_GET['id']; $ref= $_GET['ref']; $commande = new Commande($db);
* You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. */ /** * \file htdocs/opensurvey/list.php * \ingroup opensurvey * \brief Page to list surveys */ require_once('../main.inc.php'); require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php"); require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php"); // Security check if (!$user->rights->opensurvey->read) accessforbidden(); $action=GETPOST('action'); $id=GETPOST('id','alpha'); $numsondage= $id; $surveytitle=GETPOST('surveytitle'); $status=GETPOST('status'); //if (! isset($_POST['status']) && ! isset($_GET['status'])) $status='opened'; // If filter unknown, we choose 'opened' $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha'); $limit = GETPOST('limit')?GETPOST('limit','int'):$conf->liste_limit; $page = GETPOST("page",'int'); if ($page == -1) { $page = 0; } $offset = $limit * $page; $pageprev = $page - 1;
<?php require 'config.php'; /* * Statistique sur les postes de travail de l'ordonnancement */ if (!$conf->workstation->enabled) { accessforbidden($lang->trans('moduleWorkstationNeeded')); } if (!$conf->report->enabled) { accessforbidden($lang->trans('moduleReportNeeded')); } define('INC_FROM_DOLIBARR', true); dol_include_once('/workstation/config.php'); dol_include_once('/report/class/dashboard.class.php'); $PDOdb = new TPDOdb(); $TWS = TWorkstation::getWorstations($PDOdb, false); llxHeader('', $langs->trans('OrdonnancementStat')); print_fiche_titre('Filtres'); echo '<div class="tabBar">'; $form1 = new TFormcore('auto', 'form1', 'post'); echo '<table>'; ?> <tr> <td>Date de début : </td> <td><?php echo $form1->calendrier('', 'date_deb', $_REQUEST['date_deb'] ? $_REQUEST['date_deb'] : ''); ?> </td> </tr> <tr>
} } } } if (!defined('NOLOGIN')) { // If the login is not recovered, it is identified with an account that does not exist. // Hacking attempt? if (!$user->login) { accessforbidden(); } // Check if user is active if ($user->statut < 1) { // If not active, we refuse the user $langs->load("other"); dol_syslog("Authentification ko as login is disabled"); accessforbidden($langs->trans("ErrorLoginDisabled")); exit; } // Load permissions $user->getrights(); } dol_syslog("--- Access to " . $_SERVER["PHP_SELF"]); //Another call for easy debugg //dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST)); // Load main languages files if (!defined('NOREQUIRETRAN')) { $langs->load("main"); $langs->load("dict"); } // Define some constants used for style of arrays $bc = array(0 => 'class="impair"', 1 => 'class="pair"');
/** * \brief Check if user has read permission on project * @param user Object user to evaluate * @param noprint 0=Print forbidden message if no permission, 1=Return -1 if no permission */ function restrictedProjectArea($user,$noprint=0) { // To verify role of users $userAccess = 0; if ($user->rights->projet->all->lire) { $userAccess = 1; } else if ($this->public && $user->rights->projet->lire) { $userAccess = 1; } else { foreach(array('internal','external') as $source) { $userRole = $this->liste_contact(4,$source); $num=sizeof($userRole); $nblinks = 0; while ($nblinks < $num) { if (preg_match('/PROJECT/',$userRole[$nblinks]['code']) && $user->id == $userRole[$nblinks]['id']) { $userAccess++; } $nblinks++; } } //if (empty($nblinks)) // If nobody has permission, we grant creator //{ // if ((!empty($this->user_author_id) && $this->user_author_id == $user->id)) // { // $userAccess = 1; // } //} } if (! $userAccess) { if (!$noprint) { accessforbidden('',0); } else { return -1; } } return $userAccess; }
* along with this program. If not, see <http://www.gnu.org/licenses/>. */ /** * \file htdocs/comm/mailing/liste.php * \ingroup mailing * \brief Liste des mailings * \version $Id: liste.php,v 1.23 2011/08/03 00:46:33 eldy Exp $ */ require("../../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/comm/mailing/class/mailing.class.php"); $langs->load("mails"); if (!$user->rights->mailing->lire) accessforbidden(); // Securite acces client if ($user->societe_id > 0) { $action = ''; $socid = $user->societe_id; } $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha'); $page = GETPOST("page",'int'); if ($page == -1) { $page = 0; } $offset = $conf->liste_limit * $page; $pageprev = $page - 1; $pagenext = $page + 1;
/** * Check permissions of a user to show a page and an object. Check read permission. * If GETPOST('action') defined, we also check write and delete permission. * * @param User $user User to check * @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...) * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed */ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $objcanvas = null) { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>"; // If we use canvas, we try to use function that overlod restrictarea if provided with canvas if (is_object($objcanvas)) { if (method_exists($objcanvas->control, 'restrictedArea')) { return $objcanvas->control->restrictedArea($user, $features, $objectid, $dbtablename, $feature2, $dbt_keyfield, $dbt_select); } } if ($dbt_select != 'rowid' && $dbt_select != 'id') { $objectid = "'" . $objectid . "'"; } // Features/modules to check $featuresarray = array($features); if (preg_match('/&/', $features)) { $featuresarray = explode("&", $features); } else { if (preg_match('/\\|/', $features)) { $featuresarray = explode("|", $features); } } // More subfeatures to check if (!empty($feature2)) { $feature2 = explode("|", $feature2); } // More parameters $params = explode('&', $tableandshare); $dbtablename = !empty($params[0]) ? $params[0] : ''; $sharedelement = !empty($params[1]) ? $params[1] : $dbtablename; $listofmodules = explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL); // Check read permission from module $readok = 1; $nbko = 0; foreach ($featuresarray as $feature) { if (!empty($user->societe_id) && !empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && !in_array($feature, $listofmodules)) { $readok = 0; $nbko++; continue; } if ($feature == 'societe') { if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) { $readok = 0; $nbko++; } } else { if ($feature == 'contact') { if (!$user->rights->societe->contact->lire) { $readok = 0; $nbko++; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->lire && !$user->rights->service->lire) { $readok = 0; $nbko++; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->lire) { $readok = 0; $nbko++; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $readok = 0; $nbko++; } } else { if ($feature == 'projet') { if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) { $readok = 0; $nbko++; } } else { if (!empty($feature2)) { $tmpreadok = 1; foreach ($feature2 as $subfeature) { if (!empty($subfeature) && empty($user->rights->{$feature}->{$subfeature}->lire) && empty($user->rights->{$feature}->{$subfeature}->read)) { $tmpreadok = 0; } else { if (empty($subfeature) && empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read)) { $tmpreadok = 0; } else { $tmpreadok = 1; break; } } // Break is to bypass second test if the first is ok } if (!$tmpreadok) { $readok = 0; // All tests are ko (we manage here the and, the or will be managed later using $nbko). $nbko++; } } else { if (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) { if (empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read) && empty($user->rights->{$feature}->run)) { $readok = 0; $nbko++; } } } } } } } } } } // If a or and at least one ok if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) { $readok = 1; } if (!$readok) { accessforbidden(); } //print "Read access is ok"; // Check write permission from module $createok = 1; $nbko = 0; if (GETPOST("action") == 'create') { foreach ($featuresarray as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->creer) { $createok = 0; $nbko++; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->creer && !$user->rights->service->creer) { $createok = 0; $nbko++; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->creer) { $createok = 0; $nbko++; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->creer) { $createok = 0; $nbko++; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $createok = 0; $nbko++; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $createok = 0; $nbko++; } } else { if (!empty($feature2)) { foreach ($feature2 as $subfeature) { if (empty($user->rights->{$feature}->{$subfeature}->creer) && empty($user->rights->{$feature}->{$subfeature}->write) && empty($user->rights->{$feature}->{$subfeature}->create)) { $createok = 0; $nbko++; } else { $createok = 1; break; } // Break to bypass second test if the first is ok } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; if (empty($user->rights->{$feature}->creer) && empty($user->rights->{$feature}->write)) { $createok = 0; $nbko++; } } } } } } } } } } // If a or and at least one ok if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) { $createok = 1; } if (!$createok) { accessforbidden(); } //print "Write access is ok"; } // Check create user permission $createuserok = 1; if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') { if (!$user->rights->user->user->creer) { $createuserok = 0; } if (!$createuserok) { accessforbidden(); } //print "Create user access is ok"; } // Check delete permission from module $deleteok = 1; $nbko = 0; if (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") == 'yes' || GETPOST("action") == 'delete') { foreach ($featuresarray as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->supprimer) { $deleteok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) { $deleteok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->supprimer) { $deleteok = 0; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $deleteok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $deleteok = 0; } } else { if ($feature == 'ecm') { if (!$user->rights->ecm->upload) { $deleteok = 0; } } else { if ($feature == 'ftp') { if (!$user->rights->ftp->write) { $deleteok = 0; } } else { if (!empty($feature2)) { foreach ($feature2 as $subfeature) { if (empty($user->rights->{$feature}->{$subfeature}->supprimer) && empty($user->rights->{$feature}->{$subfeature}->delete)) { $deleteok = 0; } else { $deleteok = 1; break; } // For bypass the second test if the first is ok } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete; if (empty($user->rights->{$feature}->supprimer) && empty($user->rights->{$feature}->delete) && empty($user->rights->{$feature}->run)) { $deleteok = 0; } } } } } } } } } } } // If a or and at least one ok if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) { $deleteok = 1; } if (!$deleteok) { accessforbidden(); } //print "Delete access is ok"; } // If we have a particular object to check permissions on, we check this object // is linked to a company allowed to $user. if (!empty($objectid) && $objectid > 0) { $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select); return $ok ? 1 : accessforbidden(); } return 1; }
/** * Check permissions of a user to show a page and an object. Check read permission * If $_REQUEST['action'] defined, we also check write and delete permission. * @param user User to check * @param features Features to check (in most cases, it's module name) * @param objectid Object ID if we want to check permission on a particular record (optionnal) * @param dbtablename Table name where object is stored. Not used if objectid is null (optionnal) * @param feature2 Feature to check (second level of permission) * @param dbt_keyfield Field name for socid foreign key if not fk_soc. (optionnal) * @param dbt_select Field name for select if not rowid. (optionnal) * @return int Always 1, die process if not allowed */ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); if ($dbt_select != 'rowid') $objectid = "'".$objectid."'"; //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire."<br>"; // More features to check $features = explode("&",$features); //var_dump($features); // Check read permission from module // TODO Replace "feature" param by permission for reading $readok=1; foreach ($features as $feature) { if ($feature == 'societe') { if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0; } else if ($feature == 'contact') { if (! $user->rights->societe->contact->lire) $readok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->lire && ! $user->rights->service->lire) $readok=0; } else if ($feature == 'prelevement') { if (! $user->rights->prelevement->bons->lire) $readok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->lire) $readok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $readok=0; } else if ($feature == 'projet') { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) $readok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->lire) && empty($user->rights->$feature->$feature2->read)) $readok=0; } else if (! empty($feature) && ($feature!='user' && $feature!='usergroup')) // This is for old permissions { if (empty($user->rights->$feature->lire) && empty($user->rights->$feature->read) && empty($user->rights->$feature->run)) $readok=0; } } if (! $readok) { //print "Read access is down"; accessforbidden(); } //print "Read access is ok"; // Check write permission from module $createok=1; if ( GETPOST("action") && GETPOST("action") == 'create') { foreach ($features as $feature) { if ($feature == 'contact') { if (! $user->rights->societe->contact->creer) $createok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->creer && ! $user->rights->service->creer) $createok=0; } else if ($feature == 'prelevement') { if (! $user->rights->prelevement->bons->creer) $createok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->creer) $createok=0; } else if ($feature == 'banque') { if (! $user->rights->banque->modifier) $createok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $createok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->creer) && empty($user->rights->$feature->$feature2->write)) $createok=0; } else if (! empty($feature)) // This is for old permissions { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; if (empty($user->rights->$feature->creer) && empty($user->rights->$feature->write)) $createok=0; } } if (! $createok) accessforbidden(); //print "Write access is ok"; } // Check create user permission $createuserok=1; if ( GETPOST("action") && (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') ) { if (! $user->rights->user->user->creer) $createuserok=0; if (! $createuserok) accessforbidden(); //print "Create user access is ok"; } // Check delete permission from module $deleteok=1; if ( GETPOST("action") && ( (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") && GETPOST("confirm") == 'yes') || GETPOST("action") == 'delete') ) { foreach ($features as $feature) { if ($feature == 'contact') { if (! $user->rights->societe->contact->supprimer) $deleteok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->supprimer && ! $user->rights->service->supprimer) $deleteok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->supprimer) $deleteok=0; } else if ($feature == 'banque') { if (! $user->rights->banque->modifier) $deleteok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $deleteok=0; } else if ($feature == 'ecm') { if (! $user->rights->ecm->upload) $deleteok=0; } else if ($feature == 'ftp') { if (! $user->rights->ftp->write) $deleteok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->supprimer) && empty($user->rights->$feature->$feature2->delete)) $deleteok=0; } else if (! empty($feature)) // This is for old permissions { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete; if (empty($user->rights->$feature->supprimer) && empty($user->rights->$feature->delete)) $deleteok=0; } } //print "Delete access is ko"; if (! $deleteok) accessforbidden(); //print "Delete access is ok"; } // If we have a particular object to check permissions on, we check this object // is linked to a company allowed to $user. if (! empty($objectid) && $objectid > 0) { foreach ($features as $feature) { $sql=''; $check = array('banque','user','usergroup','produit','service','produit|service'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet'); // Test for project object $nocheck = array('categorie','barcode','stock','fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) $dbtablename = $feature; // Check permission for object with entity if (in_array($feature,$check)) { $sql = "SELECT dbt.".$dbt_select; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } else if (in_array($feature,$checksoc)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if ($user->societe_id <> $objectid) accessforbidden(); } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT sc.fk_soc"; $sql.= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= ", ".MAIN_DB_PREFIX."societe as s)"; $sql.= " WHERE sc.fk_soc = ".$objectid; $sql.= " AND sc.fk_user = "******" AND sc.fk_soc = s.rowid"; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } // If multicompany and internal users with all permissions, check user is in correct entity else if ($conf->global->MAIN_MODULE_MULTICOMPANY) { $sql = "SELECT s.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql.= " WHERE s.rowid = ".$objectid; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } else if (in_array($feature,$checkother)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.fk_soc = ".$user->societe_id; } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '******'"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } // If multicompany and internal users with all permissions, check user is in correct entity else if ($conf->global->MAIN_MODULE_MULTICOMPANY) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } else if (in_array($feature,$checkproject)) { if (! $user->rights->projet->all->lire) { include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php"); $projectstatic=new Project($db); $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id); $tmparray=explode(',',$tmps); if (! in_array($objectid,$tmparray)) accessforbidden(); } } else if (! in_array($feature,$nocheck)) // By default we check with link to third party { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.".$dbt_keyfield; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id; } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT sc.fk_soc"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= ", ".MAIN_DB_PREFIX."societe as s"; $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql.= " AND dbt.".$dbt_keyfield." = s.rowid"; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; $sql.= " AND sc.fk_user = "******"SELECT dbt.".$dbt_select; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } //print $sql."<br>"; if ($sql) { $resql=$db->query($sql); if ($resql) { if ($db->num_rows($resql) == 0) accessforbidden(); } else { dol_syslog("functions.lib:restrictedArea sql=".$sql, LOG_ERR); accessforbidden(); } } } } return 1; }
/** * \file htdocs/fourn/product/liste.php * \ingroup produit * \brief Page liste des produits ou services * \version $Id: liste.php,v 1.42 2011/07/31 23:57:03 eldy Exp $ */ require("../../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/product/class/product.class.php"); require_once(DOL_DOCUMENT_ROOT."/societe/class/societe.class.php"); require_once(DOL_DOCUMENT_ROOT."/fourn/class/fournisseur.class.php"); $langs->load("products"); $langs->load("suppliers"); if (!$user->rights->produit->lire && !$user->rights->service->lire) accessforbidden(); $sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"]; $sRefSupplier=isset($_GET["srefsupplier"])?$_GET["srefsupplier"]:$_POST["srefsupplier"]; $snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"]; $type=isset($_GET["type"])?$_GET["type"]:$_POST["type"]; $sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"]; $page = $_GET["page"]; if ($page < 0) { $page = 0 ; } $limit = $conf->liste_limit; $offset = $limit * $page ;
$sortfield = GETPOST("sortfield"); $sortorder = GETPOST("sortorder"); $page = GETPOST("page","int"); if ($page == -1) { $page = 0 ; } $limit = $conf->liste_limit; $offset = $limit * $page ; if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="a.datec"; // Security check $socid = GETPOST("socid","int",1); if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'agenda', 0, '', 'myactions'); $canedit=1; if (! $user->rights->agenda->myactions->read) accessforbidden(); if (! $user->rights->agenda->allactions->read) $canedit=0; if (! $user->rights->agenda->allactions->read || $filter =='mine') // If no permission to see all, we show only affected to me { $filtera=$user->id; $filtert=$user->id; $filterd=$user->id; } $action=GETPOST('action','alpha'); //$year=GETPOST("year"); $year=GETPOST("year","int")?GETPOST("year","int"):date("Y"); $month=GETPOST("month","int")?GETPOST("month","int"):date("m"); $week=GETPOST("week","int")?GETPOST("week","int"):date("W"); $day=GETPOST("day","int")?GETPOST("day","int"):0; $pid=GETPOST("projectid","int")?GETPOST("projectid","int"):0;
/** \file htdocs/compta/ventilation/fiche.php \ingroup compta \brief Page fiche ventilation \version $Revision: 1.18 $ */ require('../../main.inc.php'); require_once(DOL_DOCUMENT_ROOT."/compta/facture/class/facture.class.php"); $langs->load("bills"); $mesg = ''; if (!$user->rights->compta->ventilation->creer) accessforbidden(); /* * Actions */ if ($_POST["action"] == 'ventil' && $user->rights->compta->ventilation->creer) { $sql = " UPDATE ".MAIN_DB_PREFIX."facturedet"; $sql .= " SET fk_code_ventilation = ".$_POST["codeventil"]; $sql .= " WHERE rowid = ".$_GET["id"]; $db->query($sql); }
* \brief File to offer a way to make a payment for a particular Dolibarr entity * \author Laurent Destailleur * \version $Id: newpayment.php,v 1.61 2011/07/31 23:23:21 eldy Exp $ */ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. require("../../main.inc.php"); require_once(DOL_DOCUMENT_ROOT."/paybox/lib/paybox.lib.php"); require_once(DOL_DOCUMENT_ROOT."/lib/company.lib.php"); require_once(DOL_DOCUMENT_ROOT."/lib/functions2.lib.php"); require_once(DOL_DOCUMENT_ROOT."/product/class/product.class.php"); // Security check if (empty($conf->paybox->enabled)) accessforbidden('',1,1,1); $langs->load("main"); $langs->load("other"); $langs->load("dict"); $langs->load("bills"); $langs->load("companies"); $langs->load("errors"); $langs->load("paybox"); // Input are: // type ('invoice','order','contractline'), // id (object id), // amount (required if id is empty), // tag (a free text, required if type is empty) // currency (iso code)
* \version $Id: rappro.php,v 1.68 2011/07/31 22:23:16 eldy Exp $ */ require("./pre.inc.php"); require_once(DOL_DOCUMENT_ROOT."/lib/bank.lib.php"); require_once(DOL_DOCUMENT_ROOT."/societe/class/societe.class.php"); require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php"); require_once(DOL_DOCUMENT_ROOT."/compta/sociales/class/chargesociales.class.php"); require_once(DOL_DOCUMENT_ROOT."/compta/paiement/class/paiement.class.php"); require_once(DOL_DOCUMENT_ROOT."/compta/tva/class/tva.class.php"); require_once(DOL_DOCUMENT_ROOT."/fourn/class/paiementfourn.class.php"); $langs->load("banks"); $langs->load("bills"); if (! $user->rights->banque->consolidate) accessforbidden(); /* * Actions */ if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $_GET["action"] == 'dvnext') { $ac = new Account($db); $ac->datev_next($_GET["rowid"]); } if (($user->rights->banque->modifier || $user->rights->banque->consolidate) && $_GET["action"] == 'dvprev') {
$canreaduser=($user->admin || ($user->rights->user->user->lire && $user->rights->user->user_advance->readperms)); $caneditselfperms=($user->id == $_GET["id"] && $user->rights->user->self_advance->writeperms); $caneditperms = '('.$caneditperms.' || '.$caneditselfperms.')'; } // Security check $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; $feature2 = (($socid && $user->rights->user->self->creer)?'':'user'); if ($user->id == $_GET["id"]) // A user can always read its own card { $feature2=''; $canreaduser=1; } $result = restrictedArea($user, 'user', $_GET["id"], '', $feature2); if ($user->id <> $_REQUEST["id"] && ! $canreaduser) accessforbidden(); /** * Actions */ if ($_GET["action"] == 'addrights' && $caneditperms) { $edituser = new User($db); $edituser->fetch($_GET["id"]); $edituser->addrights($_GET["rights"],$module); // Si on a touche a ses propres droits, on recharge if ($_GET["id"] == $user->id) { $user->clearrights();
/** * \file public/emailing/mailing-read.php * \ingroup mailing * \brief Script use to update mail status if destinaries read it (if images during mail read are display) */ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. require("../../main.inc.php"); $id=GETPOST('tag'); if (empty($conf->global->MAILING_EMAIL_UNSUBSCRIBE)) accessforbidden('Option not enabled'); /* * Actions */ if ($id!='') { $statut='2'; $sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles SET statut=".$statut." WHERE tag='".$id."'"; dol_syslog("public/emailing/mailing-read.php : Mail read : ".$sql, LOG_DEBUG); $resql=$db->query($sql); //Update status communication of thirdparty prospect
// List of supported format $type2label=array( 'varchar'=>$langs->trans('String'), 'text'=>$langs->trans('Text'), 'int'=>$langs->trans('Int'), //'date'=>$langs->trans('Date'), //'datetime'=>$langs->trans('DateAndTime') ); $yesno=array($langs->trans('No'),$langs->trans('Yes')); $action=GETPOST("action"); $elementtype='Societe'; if (!$user->admin) accessforbidden(); $acts[0] = "activate"; $acts[1] = "disable"; $actl[0] = img_picto($langs->trans("Disabled"),'switch_off'); $actl[1] = img_picto($langs->trans("Activated"),'switch_on'); /* * Actions */ $maxsizestring=255; $maxsizeint=10; if($action==$acts[0] || $action==$acts[1]) {
// $user est le user qui edite, $id est l'id de l'utilisateur edite $caneditfield=((($user->id == $id) && $user->rights->user->self->creer) || (($user->id != $id) && $user->rights->user->user->creer)); $caneditpassword=((($user->id == $id) && $user->rights->user->self->password) || (($user->id != $id) && $user->rights->user->user->password)); } // Security check $socid=0; if ($user->societe_id > 0) $socid = $user->societe_id; $feature2='user'; if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card if (!$canreaduser) { $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); } if ($user->id <> $id && ! $canreaduser) accessforbidden(); $langs->load("users"); $langs->load("companies"); $langs->load("ldap"); $langs->load("admin"); $langs->load('hrm'); $object = new User($db); $extrafields = new ExtraFields($db); // fetch optionals attributes and labels $extralabels=$extrafields->fetch_name_optionals_label($object->table_element); // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array $hookmanager->initHooks(array('usercard','globalcard'));
require '../../main.inc.php'; require_once '../../core/lib/functions2.lib.php'; $langs->load("main"); $langs->load("install"); $langs->load("other"); $conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu','int'); $conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int'); $conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int'); $conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); // Security check global $dolibarr_main_demo; if (empty($dolibarr_main_demo)) accessforbidden('Parameter dolibarr_main_demo must be defined in conf file with value "default login,default pass" to enable the demo entry page',0,0,1); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array $res=$hookmanager->initHooks(array('demo')); $demoprofiles=array(); $alwayscheckedmodules=array(); $alwaysuncheckedmodules=array(); $alwayshiddencheckedmodules=array(); $alwayshiddenuncheckedmodules=array(); $tmpaction = 'view'; $parameters=array(); $object=new stdClass(); $reshook=$hookmanager->executeHooks('addDemoProfile', $parameters, $object, $tmpaction); // Note that $action and $object may have been modified by some hooks $error=$hookmanager->error; $errors=$hookmanager->errors;
* \brief Page de detail des lignes de ventilation d'une facture * \version $Revision: 1.23 $ */ require('../../main.inc.php'); require_once(DOL_DOCUMENT_ROOT."/compta/facture/class/facture.class.php"); require_once(DOL_DOCUMENT_ROOT."/product/class/product.class.php"); $langs->load("bills"); $langs->load("compta"); if (!$user->rights->facture->lire) accessforbidden(); if (!$user->rights->compta->ventilation->creer) accessforbidden(); // Securite acces client if ($user->societe_id > 0) accessforbidden(); llxHeader(''); /* * Lignes de factures * */ $page = $_GET["page"]; if ($page < 0) $page = 0; $limit = $conf->liste_limit; $offset = $limit * $page ; $sql = "SELECT f.facnumber, f.rowid as facid, l.fk_product, l.description, l.price, l.qty, l.rowid, l.tva_tx, l.fk_code_ventilation, c.intitule, c.numero,"; $sql.= " p.rowid as product_id, p.ref as product_ref, p.label as product_label, p.fk_product_type as type";
* You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. */ /** * \file htdocs/public/donations/therm.php * \ingroup donation * \brief Screen with thermometer */ define("NOLOGIN", 1); // This means this output page does not require to be logged. define("NOCSRFCHECK", 1); // We accept to go on this page from external web site. require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT . '/core/lib/images.lib.php'; require_once DOL_DOCUMENT_ROOT . '/compta/dons/class/don.class.php'; // Security check if (empty($conf->don->enabled)) { accessforbidden('', 1, 1, 1); } /* * View (output an image) */ $dontherm = new Don($db); $intentValue = $dontherm->sum_donations(1); $pendingValue = $dontherm->sum_donations(2); $actualValue = $dontherm->sum_donations(3); $db->close(); /* * Graph thermometer */ print moneyMeter($actualValue, $pendingValue, $intentValue);
} } else { /* * Show object in view mode */ if ($id > 0 || ! empty($ref)) { dol_htmloutput_mesg($mesg); $result=$object->fetch($id,$ref); if ($result > 0) { if ($user->societe_id>0 && $user->societe_id!=$object->socid) accessforbidden('',0); $result=$object->fetch_thirdparty(); $soc = new Societe($db, $object->socid); $soc->fetch($object->socid); $totalpaye = $object->getSommePaiement(); $totalcreditnotes = $object->getSumCreditNotesUsed(); $totaldeposits = $object->getSumDepositsUsed(); //print "totalpaye=".$totalpaye." totalcreditnotes=".$totalcreditnotes." totaldeposts=".$totaldeposits; // We can also use bcadd to avoid pb with floating points // For example print 239.2 - 229.3 - 9.9; does not return 0. //$resteapayer=bcadd($object->total_ttc,$totalpaye,$conf->global->MAIN_MAX_DECIMALS_TOT); //$resteapayer=bcadd($resteapayer,$totalavoir,$conf->global->MAIN_MAX_DECIMALS_TOT);
*/ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php'; require_once DOL_DOCUMENT_ROOT . '/projet/class/task.class.php'; require_once DOL_DOCUMENT_ROOT . '/core/lib/project.lib.php'; require_once DOL_DOCUMENT_ROOT . '/core/lib/date.lib.php'; $langs->load("projects"); $langs->load("companies"); $mine = GETPOST('mode') == 'mine' ? 1 : 0; // Security check $socid = 0; if ($user->societe_id > 0) { $socid = $user->societe_id; } if (!$user->rights->projet->lire) { accessforbidden(); } $sortfield = GETPOST("sortfield", 'alpha'); $sortorder = GETPOST("sortorder", 'alpha'); /* * View */ $socstatic = new Societe($db); $projectstatic = new Project($db); $userstatic = new User($db); $tasktmp = new Task($db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, $mine ? $mine : (empty($user->rights->projet->all->lire) ? 0 : 2), 1); //var_dump($projectsListId); llxHeader("", $langs->trans("Projects"), "EN:Module_Projects|FR:Module_Projets|ES:Módulo_Proyectos"); $text = $langs->trans("Projects"); if ($mine) {
// Load traductions files $langs->load("ecm"); $langs->load("companies"); $langs->load("other"); $langs->load("users"); $langs->load("orders"); $langs->load("propal"); $langs->load("bills"); $langs->load("contracts"); $langs->load("categories"); // Load permissions $user->getrights('ecm'); if (!$user->rights->ecm->setup) accessforbidden(); // Get parameters $socid = isset($_GET["socid"])?$_GET["socid"]:''; $section=$_GET["section"]; if (! $section) $section='misc'; $upload_dir = $conf->ecm->dir_output.'/'.$section; $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha'); $page = GETPOST("page",'int'); if ($page == -1) { $page = 0; } $offset = $conf->liste_limit * $page; $pageprev = $page - 1; $pagenext = $page + 1;