/**
 *	Check permissions of a user to show a page and an object. Check read permission.
 * 	If GETPOST('action') defined, we also check write and delete permission.
 *
 *	@param	User	$user      	  	User to check
 *	@param  string	$features	    Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
 *	@param  int		$objectid      	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
 *	@param  string	$tableandshare  'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
 *	@param  string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
 *  @param  string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
 *  @param  string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
 *  @param	Canvas	$objcanvas		Object canvas
 * 	@return	int						Always 1, die process if not allowed
 */
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $objcanvas = null)
{
    global $db, $conf;
    //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
    //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
    //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
    //print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
    // If we use canvas, we try to use function that overlod restrictarea if provided with canvas
    if (is_object($objcanvas)) {
        if (method_exists($objcanvas->control, 'restrictedArea')) {
            return $objcanvas->control->restrictedArea($user, $features, $objectid, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
        }
    }
    if ($dbt_select != 'rowid' && $dbt_select != 'id') {
        $objectid = "'" . $objectid . "'";
    }
    // Features/modules to check
    $featuresarray = array($features);
    if (preg_match('/&/', $features)) {
        $featuresarray = explode("&", $features);
    } else {
        if (preg_match('/\\|/', $features)) {
            $featuresarray = explode("|", $features);
        }
    }
    // More subfeatures to check
    if (!empty($feature2)) {
        $feature2 = explode("|", $feature2);
    }
    // More parameters
    $params = explode('&', $tableandshare);
    $dbtablename = !empty($params[0]) ? $params[0] : '';
    $sharedelement = !empty($params[1]) ? $params[1] : $dbtablename;
    $listofmodules = explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL);
    // Check read permission from module
    $readok = 1;
    $nbko = 0;
    foreach ($featuresarray as $feature) {
        if (!empty($user->societe_id) && !empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && !in_array($feature, $listofmodules)) {
            $readok = 0;
            $nbko++;
            continue;
        }
        if ($feature == 'societe') {
            if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) {
                $readok = 0;
                $nbko++;
            }
        } else {
            if ($feature == 'contact') {
                if (!$user->rights->societe->contact->lire) {
                    $readok = 0;
                    $nbko++;
                }
            } else {
                if ($feature == 'produit|service') {
                    if (!$user->rights->produit->lire && !$user->rights->service->lire) {
                        $readok = 0;
                        $nbko++;
                    }
                } else {
                    if ($feature == 'prelevement') {
                        if (!$user->rights->prelevement->bons->lire) {
                            $readok = 0;
                            $nbko++;
                        }
                    } else {
                        if ($feature == 'cheque') {
                            if (!$user->rights->banque->cheque) {
                                $readok = 0;
                                $nbko++;
                            }
                        } else {
                            if ($feature == 'projet') {
                                if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) {
                                    $readok = 0;
                                    $nbko++;
                                }
                            } else {
                                if (!empty($feature2)) {
                                    $tmpreadok = 1;
                                    foreach ($feature2 as $subfeature) {
                                        if (!empty($subfeature) && empty($user->rights->{$feature}->{$subfeature}->lire) && empty($user->rights->{$feature}->{$subfeature}->read)) {
                                            $tmpreadok = 0;
                                        } else {
                                            if (empty($subfeature) && empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read)) {
                                                $tmpreadok = 0;
                                            } else {
                                                $tmpreadok = 1;
                                                break;
                                            }
                                        }
                                        // Break is to bypass second test if the first is ok
                                    }
                                    if (!$tmpreadok) {
                                        $readok = 0;
                                        // All tests are ko (we manage here the and, the or will be managed later using $nbko).
                                        $nbko++;
                                    }
                                } else {
                                    if (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) {
                                        if (empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read) && empty($user->rights->{$feature}->run)) {
                                            $readok = 0;
                                            $nbko++;
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    // If a or and at least one ok
    if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
        $readok = 1;
    }
    if (!$readok) {
        accessforbidden();
    }
    //print "Read access is ok";
    // Check write permission from module
    $createok = 1;
    $nbko = 0;
    if (GETPOST("action") == 'create') {
        foreach ($featuresarray as $feature) {
            if ($feature == 'contact') {
                if (!$user->rights->societe->contact->creer) {
                    $createok = 0;
                    $nbko++;
                }
            } else {
                if ($feature == 'produit|service') {
                    if (!$user->rights->produit->creer && !$user->rights->service->creer) {
                        $createok = 0;
                        $nbko++;
                    }
                } else {
                    if ($feature == 'prelevement') {
                        if (!$user->rights->prelevement->bons->creer) {
                            $createok = 0;
                            $nbko++;
                        }
                    } else {
                        if ($feature == 'commande_fournisseur') {
                            if (!$user->rights->fournisseur->commande->creer) {
                                $createok = 0;
                                $nbko++;
                            }
                        } else {
                            if ($feature == 'banque') {
                                if (!$user->rights->banque->modifier) {
                                    $createok = 0;
                                    $nbko++;
                                }
                            } else {
                                if ($feature == 'cheque') {
                                    if (!$user->rights->banque->cheque) {
                                        $createok = 0;
                                        $nbko++;
                                    }
                                } else {
                                    if (!empty($feature2)) {
                                        foreach ($feature2 as $subfeature) {
                                            if (empty($user->rights->{$feature}->{$subfeature}->creer) && empty($user->rights->{$feature}->{$subfeature}->write) && empty($user->rights->{$feature}->{$subfeature}->create)) {
                                                $createok = 0;
                                                $nbko++;
                                            } else {
                                                $createok = 1;
                                                break;
                                            }
                                            // Break to bypass second test if the first is ok
                                        }
                                    } else {
                                        if (!empty($feature)) {
                                            //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
                                            if (empty($user->rights->{$feature}->creer) && empty($user->rights->{$feature}->write)) {
                                                $createok = 0;
                                                $nbko++;
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        // If a or and at least one ok
        if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
            $createok = 1;
        }
        if (!$createok) {
            accessforbidden();
        }
        //print "Write access is ok";
    }
    // Check create user permission
    $createuserok = 1;
    if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') {
        if (!$user->rights->user->user->creer) {
            $createuserok = 0;
        }
        if (!$createuserok) {
            accessforbidden();
        }
        //print "Create user access is ok";
    }
    // Check delete permission from module
    $deleteok = 1;
    $nbko = 0;
    if (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") == 'yes' || GETPOST("action") == 'delete') {
        foreach ($featuresarray as $feature) {
            if ($feature == 'contact') {
                if (!$user->rights->societe->contact->supprimer) {
                    $deleteok = 0;
                }
            } else {
                if ($feature == 'produit|service') {
                    if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) {
                        $deleteok = 0;
                    }
                } else {
                    if ($feature == 'commande_fournisseur') {
                        if (!$user->rights->fournisseur->commande->supprimer) {
                            $deleteok = 0;
                        }
                    } else {
                        if ($feature == 'banque') {
                            if (!$user->rights->banque->modifier) {
                                $deleteok = 0;
                            }
                        } else {
                            if ($feature == 'cheque') {
                                if (!$user->rights->banque->cheque) {
                                    $deleteok = 0;
                                }
                            } else {
                                if ($feature == 'ecm') {
                                    if (!$user->rights->ecm->upload) {
                                        $deleteok = 0;
                                    }
                                } else {
                                    if ($feature == 'ftp') {
                                        if (!$user->rights->ftp->write) {
                                            $deleteok = 0;
                                        }
                                    } else {
                                        if (!empty($feature2)) {
                                            foreach ($feature2 as $subfeature) {
                                                if (empty($user->rights->{$feature}->{$subfeature}->supprimer) && empty($user->rights->{$feature}->{$subfeature}->delete)) {
                                                    $deleteok = 0;
                                                } else {
                                                    $deleteok = 1;
                                                    break;
                                                }
                                                // For bypass the second test if the first is ok
                                            }
                                        } else {
                                            if (!empty($feature)) {
                                                //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
                                                if (empty($user->rights->{$feature}->supprimer) && empty($user->rights->{$feature}->delete) && empty($user->rights->{$feature}->run)) {
                                                    $deleteok = 0;
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
        // If a or and at least one ok
        if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
            $deleteok = 1;
        }
        if (!$deleteok) {
            accessforbidden();
        }
        //print "Delete access is ok";
    }
    // If we have a particular object to check permissions on, we check this object
    // is linked to a company allowed to $user.
    if (!empty($objectid) && $objectid > 0) {
        $ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
        return $ok ? 1 : accessforbidden();
    }
    return 1;
}
Exemple #2
0
 /**
  * Check user access to a resource
  *
  * Check access by user to a given resource
  *
  * @param string	$resource		element to check
  * @param int		$resource_id	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
  * @param type		$dbtablename	'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
  * @param string	$feature2		Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
  * @param string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
  * @param string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
  * @throws RestException
  */
 static function _checkAccessToResource($resource, $resource_id = 0, $dbtablename = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid')
 {
     // Features/modules to check
     $featuresarray = array($resource);
     if (preg_match('/&/', $resource)) {
         $featuresarray = explode("&", $resource);
     } else {
         if (preg_match('/\\|/', $resource)) {
             $featuresarray = explode("|", $resource);
         }
     }
     // More subfeatures to check
     if (!empty($feature2)) {
         $feature2 = explode("|", $feature2);
     }
     return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray, $resource_id, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
 }