/**
* Check permissions of a user to show a page and an object. Check read permission.
* If GETPOST('action') defined, we also check write and delete permission.
*
* @param User $user User to check
* @param string $features Features to check (it must be module name. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
* @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
* @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
* @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
* @param Canvas $objcanvas Object canvas
* @return int Always 1, die process if not allowed
*/
function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $objcanvas = null)
{
global $db, $conf;
//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select");
//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
//print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
// If we use canvas, we try to use function that overlod restrictarea if provided with canvas
if (is_object($objcanvas)) {
if (method_exists($objcanvas->control, 'restrictedArea')) {
return $objcanvas->control->restrictedArea($user, $features, $objectid, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
}
}
if ($dbt_select != 'rowid' && $dbt_select != 'id') {
$objectid = "'" . $objectid . "'";
}
// Features/modules to check
$featuresarray = array($features);
if (preg_match('/&/', $features)) {
$featuresarray = explode("&", $features);
} else {
if (preg_match('/\\|/', $features)) {
$featuresarray = explode("|", $features);
}
}
// More subfeatures to check
if (!empty($feature2)) {
$feature2 = explode("|", $feature2);
}
// More parameters
$params = explode('&', $tableandshare);
$dbtablename = !empty($params[0]) ? $params[0] : '';
$sharedelement = !empty($params[1]) ? $params[1] : $dbtablename;
$listofmodules = explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL);
// Check read permission from module
$readok = 1;
$nbko = 0;
foreach ($featuresarray as $feature) {
if (!empty($user->societe_id) && !empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && !in_array($feature, $listofmodules)) {
$readok = 0;
$nbko++;
continue;
}
if ($feature == 'societe') {
if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) {
$readok = 0;
$nbko++;
}
} else {
if ($feature == 'contact') {
if (!$user->rights->societe->contact->lire) {
$readok = 0;
$nbko++;
}
} else {
if ($feature == 'produit|service') {
if (!$user->rights->produit->lire && !$user->rights->service->lire) {
$readok = 0;
$nbko++;
}
} else {
if ($feature == 'prelevement') {
if (!$user->rights->prelevement->bons->lire) {
$readok = 0;
$nbko++;
}
} else {
if ($feature == 'cheque') {
if (!$user->rights->banque->cheque) {
$readok = 0;
$nbko++;
}
} else {
if ($feature == 'projet') {
if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) {
$readok = 0;
$nbko++;
}
} else {
if (!empty($feature2)) {
$tmpreadok = 1;
foreach ($feature2 as $subfeature) {
if (!empty($subfeature) && empty($user->rights->{$feature}->{$subfeature}->lire) && empty($user->rights->{$feature}->{$subfeature}->read)) {
$tmpreadok = 0;
} else {
if (empty($subfeature) && empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read)) {
$tmpreadok = 0;
} else {
$tmpreadok = 1;
break;
}
}
// Break is to bypass second test if the first is ok
}
if (!$tmpreadok) {
$readok = 0;
// All tests are ko (we manage here the and, the or will be managed later using $nbko).
$nbko++;
}
} else {
if (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) {
if (empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read) && empty($user->rights->{$feature}->run)) {
$readok = 0;
$nbko++;
}
}
}
}
}
}
}
}
}
}
// If a or and at least one ok
if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
$readok = 1;
}
if (!$readok) {
accessforbidden();
}
//print "Read access is ok";
// Check write permission from module
$createok = 1;
$nbko = 0;
if (GETPOST("action") == 'create') {
foreach ($featuresarray as $feature) {
if ($feature == 'contact') {
if (!$user->rights->societe->contact->creer) {
$createok = 0;
$nbko++;
}
} else {
if ($feature == 'produit|service') {
if (!$user->rights->produit->creer && !$user->rights->service->creer) {
$createok = 0;
$nbko++;
}
} else {
if ($feature == 'prelevement') {
if (!$user->rights->prelevement->bons->creer) {
$createok = 0;
$nbko++;
}
} else {
if ($feature == 'commande_fournisseur') {
if (!$user->rights->fournisseur->commande->creer) {
$createok = 0;
$nbko++;
}
} else {
if ($feature == 'banque') {
if (!$user->rights->banque->modifier) {
$createok = 0;
$nbko++;
}
} else {
if ($feature == 'cheque') {
if (!$user->rights->banque->cheque) {
$createok = 0;
$nbko++;
}
} else {
if (!empty($feature2)) {
foreach ($feature2 as $subfeature) {
if (empty($user->rights->{$feature}->{$subfeature}->creer) && empty($user->rights->{$feature}->{$subfeature}->write) && empty($user->rights->{$feature}->{$subfeature}->create)) {
$createok = 0;
$nbko++;
} else {
$createok = 1;
break;
}
// Break to bypass second test if the first is ok
}
} else {
if (!empty($feature)) {
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write;
if (empty($user->rights->{$feature}->creer) && empty($user->rights->{$feature}->write)) {
$createok = 0;
$nbko++;
}
}
}
}
}
}
}
}
}
}
// If a or and at least one ok
if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
$createok = 1;
}
if (!$createok) {
accessforbidden();
}
//print "Write access is ok";
}
// Check create user permission
$createuserok = 1;
if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') {
if (!$user->rights->user->user->creer) {
$createuserok = 0;
}
if (!$createuserok) {
accessforbidden();
}
//print "Create user access is ok";
}
// Check delete permission from module
$deleteok = 1;
$nbko = 0;
if (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") == 'yes' || GETPOST("action") == 'delete') {
foreach ($featuresarray as $feature) {
if ($feature == 'contact') {
if (!$user->rights->societe->contact->supprimer) {
$deleteok = 0;
}
} else {
if ($feature == 'produit|service') {
if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) {
$deleteok = 0;
}
} else {
if ($feature == 'commande_fournisseur') {
if (!$user->rights->fournisseur->commande->supprimer) {
$deleteok = 0;
}
} else {
if ($feature == 'banque') {
if (!$user->rights->banque->modifier) {
$deleteok = 0;
}
} else {
if ($feature == 'cheque') {
if (!$user->rights->banque->cheque) {
$deleteok = 0;
}
} else {
if ($feature == 'ecm') {
if (!$user->rights->ecm->upload) {
$deleteok = 0;
}
} else {
if ($feature == 'ftp') {
if (!$user->rights->ftp->write) {
$deleteok = 0;
}
} else {
if (!empty($feature2)) {
foreach ($feature2 as $subfeature) {
if (empty($user->rights->{$feature}->{$subfeature}->supprimer) && empty($user->rights->{$feature}->{$subfeature}->delete)) {
$deleteok = 0;
} else {
$deleteok = 1;
break;
}
// For bypass the second test if the first is ok
}
} else {
if (!empty($feature)) {
//print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
if (empty($user->rights->{$feature}->supprimer) && empty($user->rights->{$feature}->delete) && empty($user->rights->{$feature}->run)) {
$deleteok = 0;
}
}
}
}
}
}
}
}
}
}
}
// If a or and at least one ok
if (preg_match('/\\|/', $features) && $nbko < count($featuresarray)) {
$deleteok = 1;
}
if (!$deleteok) {
accessforbidden();
}
//print "Delete access is ok";
}
// If we have a particular object to check permissions on, we check this object
// is linked to a company allowed to $user.
if (!empty($objectid) && $objectid > 0) {
$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select);
return $ok ? 1 : accessforbidden();
}
return 1;
}
/**
* Check user access to a resource
*
* Check access by user to a given resource
*
* @param string $resource element to check
* @param int $resource_id Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
* @param type $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
* @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
* @throws RestException
*/
static function _checkAccessToResource($resource, $resource_id = 0, $dbtablename = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid')
{
// Features/modules to check
$featuresarray = array($resource);
if (preg_match('/&/', $resource)) {
$featuresarray = explode("&", $resource);
} else {
if (preg_match('/\\|/', $resource)) {
$featuresarray = explode("|", $resource);
}
}
// More subfeatures to check
if (!empty($feature2)) {
$feature2 = explode("|", $feature2);
}
return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray, $resource_id, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
}
