$projectstatic->fetch($id); $projectstatic->societe->fetch($projectstatic->societe->id); } print_barre_liste($title, $page, $_SERVER["PHP_SELF"], "", $sortfield, $sortorder, "", $num); // Show description of content if ($mine) print $langs->trans("MyProjectsDesc").'<br><br>'; else { if ($user->rights->projet->all->lire && ! $socid) print $langs->trans("ProjectsDesc").'<br><br>'; else print $langs->trans("ProjectsPublicDesc").'<br><br>'; } // Get list of project id allowed to user $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1,$socid); // Get list of tasks in tasksarray and taskarrayfiltered // We need all tasks (even not limited to a user because a task to user can have a parent that is not affected to him). $tasksarray=$taskstatic->getTasksArray(0, 0, $projectstatic->id, $socid, 0, $search_product); // We load also tasks limited to a particular user $tasksrole=($mine ? $taskstatic->getUserRolesForProjectsOrTasks(0,$user,$projectstatic->id,0) : ''); print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">'; print '<input type="hidden" name="mode" value="'.GETPOST('mode').'">'; print '<table class="noborder" width="100%">'; print '<tr class="liste_titre">'; print '<td>'.$langs->trans("Project").'</td>'; print '<td width="80">'.$langs->trans("RefTask").'</td>';
if ($user->societe_id > 0) { $socid = $user->societe_id; } if (!$user->rights->projet->lire) { accessforbidden(); } $sortfield = GETPOST("sortfield", 'alpha'); $sortorder = GETPOST("sortorder", 'alpha'); /* * View */ $socstatic = new Societe($db); $projectstatic = new Project($db); $userstatic = new User($db); $tasktmp = new Task($db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, $mine ? $mine : (empty($user->rights->projet->all->lire) ? 0 : 2), 1); //var_dump($projectsListId); llxHeader("", $langs->trans("Projects"), "EN:Module_Projects|FR:Module_Projets|ES:Módulo_Proyectos"); $text = $langs->trans("Projects"); if ($mine) { $text = $langs->trans("MyProjects"); } print_fiche_titre($text); // Show description of content if ($mine) { print $langs->trans("MyProjectsDesc") . '<br><br>'; } else { if (!empty($user->rights->projet->all->lire) && !$socid) { print $langs->trans("ProjectsDesc") . '<br><br>'; } else { print $langs->trans("ProjectsPublicDesc") . '<br><br>';
} $offset = $conf->liste_limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; $mine = $_REQUEST['mode'] == 'mine' ? 1 : 0; $search_ref = GETPOST("search_ref"); $search_label = GETPOST("search_label"); $search_societe = GETPOST("search_societe"); $search_all = GETPOST("search_all"); /* * View */ $projectstatic = new Project($db); $socstatic = new Societe($db); llxHeader("", $langs->trans("Projects"), "EN:Module_Projects|FR:Module_Projets|ES:Módulo_Proyectos"); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, $mine ? $mine : ($user->rights->projet->all->lire ? 2 : 0), 1, $socid); $sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_statut, p.public, p.fk_user_creat"; $sql .= ", p.datec as date_create, p.dateo as date_start, p.datee as date_end"; $sql .= ", s.nom as name, s.rowid as socid"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet as p"; $sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe as s on p.fk_soc = s.rowid"; $sql .= " WHERE p.entity = " . $conf->entity; if ($mine || !$user->rights->projet->all->lire) { $sql .= " AND p.rowid IN (" . $projectsListId . ")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = " . $socid . ")"; } if ($search_ref) {
/** * Check permissions of a user to show a page and an object. Check read permission. * If GETPOST('action') defined, we also check write and delete permission. * * @param User $user User to check * @param string $features Features to check (in most cases, it's module name. Examples: 'societe', 'contact', 'produit|service', ...) * @param int $objectid Object ID if we want to check permission on a particular record (optionnal) * @param string $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored, SharedElement is key to define where to check entity. Not used if objectid is null (optionnal) * @param string $feature2 Feature to check, second level of permission (optionnal) * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc (optionnal) * @param string $dbt_select Field name for select if not rowid (optionnal) * @param Canvas $objcanvas Object canvas * @return int Always 1, die process if not allowed */ function restrictedArea($user, $features, $objectid = 0, $dbtablename = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $objcanvas = null) { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire."<br>"; // If we use canvas, we try to use function that overlod restrictarea if provided with canvas if (is_object($objcanvas)) { if (method_exists($objcanvas->control, 'restrictedArea')) { return $objcanvas->control->restrictedArea($user, $features, $objectid, $dbtablename, $feature2, $dbt_keyfield, $dbt_select); } } if ($dbt_select != 'rowid') { $objectid = "'" . $objectid . "'"; } // More features to check $features = explode("&", $features); // More parameters $params = explode('&', $dbtablename); $dbtablename = !empty($params[0]) ? $params[0] : ''; $sharedelement = !empty($params[1]) ? $params[1] : ''; // Check read permission from module // TODO Replace "feature" param into caller by first level of permission $readok = 1; foreach ($features as $feature) { if ($feature == 'societe') { if (!$user->rights->societe->lire && !$user->rights->fournisseur->lire) { $readok = 0; } } else { if ($feature == 'contact') { if (!$user->rights->societe->contact->lire) { $readok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->lire && !$user->rights->service->lire) { $readok = 0; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->lire) { $readok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->lire) { $readok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $readok = 0; } } else { if ($feature == 'projet') { if (!$user->rights->projet->lire && !$user->rights->projet->all->lire) { $readok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->lire) && empty($user->rights->{$feature}->{$feature2}->read)) { $readok = 0; } } else { if (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) { if (empty($user->rights->{$feature}->lire) && empty($user->rights->{$feature}->read) && empty($user->rights->{$feature}->run)) { $readok = 0; } } } } } } } } } } } if ($user->admin) { return 1; } if (!$readok) { accessforbidden(); } //print "Read access is ok"; // Check write permission from module $createok = 1; if (GETPOST("action") == 'create') { foreach ($features as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->creer) { $createok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->creer && !$user->rights->service->creer) { $createok = 0; } } else { if ($feature == 'prelevement') { if (!$user->rights->prelevement->bons->creer) { $createok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->creer) { $createok = 0; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $createok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $createok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->creer) && empty($user->rights->{$feature}->{$feature2}->write)) { $createok = 0; } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; if (empty($user->rights->{$feature}->creer) && empty($user->rights->{$feature}->write)) { $createok = 0; } } } } } } } } } } if ($user->admin) { $createok = 1; } if (!$createok) { accessforbidden(); } //print "Write access is ok"; } // Check create user permission $createuserok = 1; if (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') { if (!$user->rights->user->user->creer) { $createuserok = 0; } if (!$createuserok) { accessforbidden(); } //print "Create user access is ok"; } // Check delete permission from module $deleteok = 1; if (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") == 'yes' || GETPOST("action") == 'delete') { foreach ($features as $feature) { if ($feature == 'contact') { if (!$user->rights->societe->contact->supprimer) { $deleteok = 0; } } else { if ($feature == 'produit|service') { if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) { $deleteok = 0; } } else { if ($feature == 'commande_fournisseur') { if (!$user->rights->fournisseur->commande->supprimer) { $deleteok = 0; } } else { if ($feature == 'banque') { if (!$user->rights->banque->modifier) { $deleteok = 0; } } else { if ($feature == 'cheque') { if (!$user->rights->banque->cheque) { $deleteok = 0; } } else { if ($feature == 'ecm') { if (!$user->rights->ecm->upload) { $deleteok = 0; } } else { if ($feature == 'ftp') { if (!$user->rights->ftp->write) { $deleteok = 0; } } else { if (!empty($feature2)) { if (empty($user->rights->{$feature}->{$feature2}->supprimer) && empty($user->rights->{$feature}->{$feature2}->delete)) { $deleteok = 0; } } else { if (!empty($feature)) { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete; if (empty($user->rights->{$feature}->supprimer) && empty($user->rights->{$feature}->delete)) { $deleteok = 0; } } } } } } } } } } } //print "Delete access is ko"; if (!$deleteok) { accessforbidden(); } //print "Delete access is ok"; } // If we have a particular object to check permissions on, we check this object // is linked to a company allowed to $user. if (!empty($objectid) && $objectid > 0) { foreach ($features as $feature) { $sql = ''; $check = array('adherent', 'banque', 'user', 'usergroup', 'produit', 'service', 'produit|service', 'categorie'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet'); // Test for project object $nocheck = array('barcode', 'stock', 'fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) { $dbtablename = $feature; } // Check permission for object with entity if (in_array($feature, $check)) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " AND dbt.entity IS NOT NULL"; } else { $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (in_array($feature, $checksoc)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if ($user->societe_id != $objectid) { accessforbidden(); } } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT sc.fk_soc"; $sql .= " FROM (" . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s)"; $sql .= " WHERE sc.fk_soc = " . $objectid; $sql .= " AND sc.fk_user = "******" AND sc.fk_soc = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT s.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . "societe as s"; $sql .= " WHERE s.rowid = " . $objectid; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkother)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt.fk_soc = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '******'"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT dbt.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkproject)) { if (!empty($conf->projet->enabled) && !$user->rights->projet->all->lire) { include_once DOL_DOCUMENT_ROOT . "/projet/class/project.class.php"; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); $tmparray = explode(',', $tmps); if (!in_array($objectid, $tmparray)) { accessforbidden(); } } else { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (!in_array($feature, $nocheck)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt." . $dbt_keyfield; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt." . $dbt_keyfield . " = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT sc.fk_soc"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s"; $sql .= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND sc.fk_soc = dbt." . $dbt_keyfield; $sql .= " AND dbt." . $dbt_keyfield . " = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; $sql .= " AND sc.fk_user = "******"SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } } } } } //print $sql."<br>"; if ($sql) { $resql = $db->query($sql); if ($resql) { if ($db->num_rows($resql) == 0) { accessforbidden(); } } else { dol_syslog("security.lib:restrictedArea sql=" . $sql, LOG_ERR); accessforbidden(); } } } } return 1; }
/** * Output a combo list with projects qualified for a third party * * @param int $socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) * @param int $selected Id task preselected * @param string $htmlname Name of HTML select * @param int $maxlength Maximum length of label * @param int $option_only Return only html options lines without the select tag * @param int $show_empty Add an empty line * @param int $discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable) * @param int $forcefocus Force focus on field (works with javascript only) * @param int $disabled Disabled * @return int Nbr of project if OK, <0 if KO */ function selectTasks($socid = -1, $selected = '', $htmlname = 'taskid', $maxlength = 24, $option_only = 0, $show_empty = 1, $discard_closed = 0, $forcefocus = 0, $disabled = 0) { global $user, $conf, $langs; require_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php'; $out = ''; $hideunselectables = false; if (!empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) { $hideunselectables = true; } $projectsListId = false; if (empty($user->rights->projet->all->lire)) { $projectstatic = new Project($this->db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); } // Search all projects $sql = 'SELECT t.rowid, t.ref as tref, t.label as tlabel, p.ref, p.title, p.fk_soc, p.fk_statut, p.public,'; $sql .= ' s.nom as name'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'projet as p'; $sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'societe as s ON s.rowid = p.fk_soc'; $sql .= ', ' . MAIN_DB_PREFIX . 'projet_task as t'; $sql .= " WHERE p.entity = " . $conf->entity; $sql .= " AND t.fk_projet = p.rowid"; if ($projectsListId !== false) { $sql .= " AND p.rowid IN (" . $projectsListId . ")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } if ($socid > 0) { $sql .= " AND (p.fk_soc=" . $socid . " OR p.fk_soc IS NULL)"; } $sql .= " ORDER BY p.ref, t.ref ASC"; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); if ($resql) { $minmax = ''; // Use select2 selector $nodatarole = ''; if (!empty($conf->use_javascript_ajax)) { include_once DOL_DOCUMENT_ROOT . '/core/lib/ajax.lib.php'; $comboenhancement = ajax_combobox($htmlname, '', 0, $forcefocus); $out .= $comboenhancement; $nodatarole = $comboenhancement ? ' data-role="none"' : ''; $minmax = 'minwidth200'; } if (empty($option_only)) { $out .= '<select class="flat' . ($minmax ? ' ' . $minmax : '') . '"' . ($disabled ? ' disabled="disabled"' : '') . ' id="' . $htmlname . '" name="' . $htmlname . '"' . $nodatarole . '>'; } if (!empty($show_empty)) { $out .= '<option value="0"> </option>'; } $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { // Do nothing } else { if ($discard_closed == 1 && $obj->fk_statut == 2) { $i++; continue; } $labeltoshow = dol_trunc($obj->ref, 18); //if ($obj->public) $labeltoshow.=' ('.$langs->trans("SharedProject").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; $labeltoshow .= ' ' . dol_trunc($obj->title, $maxlength); if ($obj->name) { $labeltoshow .= ' (' . $obj->name . ')'; } $disabled = 0; if ($obj->fk_statut == 0) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("Draft"); } else { if ($obj->fk_statut == 2) { if ($discard_closed == 2) { $disabled = 1; } $labeltoshow .= ' - ' . $langs->trans("Closed"); } else { if ($socid > 0 && (!empty($obj->fk_soc) && $obj->fk_soc != $socid)) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("LinkedToAnotherCompany"); } } } // Label for task $labeltoshow .= ' - ' . $obj->tref . ' ' . dol_trunc($obj->tlabel, $maxlength); if (!empty($selected) && $selected == $obj->rowid) { $out .= '<option value="' . $obj->rowid . '" selected'; //if ($disabled) $out.=' disabled'; // with select2, field can't be preselected if disabled $out .= '>' . $labeltoshow . '</option>'; } else { if ($hideunselectables && $disabled && $selected != $obj->rowid) { $resultat = ''; } else { $resultat = '<option value="' . $obj->rowid . '"'; if ($disabled) { $resultat .= ' disabled'; } //if ($obj->public) $labeltoshow.=' ('.$langs->trans("Public").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; $resultat .= '>'; $resultat .= $labeltoshow; $resultat .= '</option>'; } $out .= $resultat; } } $i++; } } if (empty($option_only)) { $out .= '</select>'; } print $out; $this->db->free($resql); return $num; } else { dol_print_error($this->db); return -1; } }
$project = new Project($db); $taskstatic = new Task($db); $prev = dol_getdate($daytoparse - 24 * 3600); $prev_year = $prev['year']; $prev_month = $prev['mon']; $prev_day = $prev['mday']; $next = dol_getdate($daytoparse + 24 * 3600); $next_year = $next['year']; $next_month = $next['mon']; $next_day = $next['mday']; $title = $langs->trans("TimeSpent"); if ($mine) { $title = $langs->trans("MyTimeSpent"); } $usertoprocess = $user; $projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertoprocess, 0, 1); // Return all project i have permission on. I want my tasks and some of my task may be on a public projet that is not my project if ($id) { $project->fetch($id); $project->fetch_thirdparty(); } $onlyopenedproject = 1; // or -1 $tasksarray = $taskstatic->getTasksArray(0, 0, $project->id ? $project->id : 0, $socid, 0, '', $onlyopenedproject); // We want to see all task of opened project i am allowed to see, not only mine. Later only mine will be editable later. $projectsrole = $taskstatic->getUserRolesForProjectsOrTasks($usertoprocess, 0, $project->id ? $project->id : 0, 0, $onlyopenedproject); $tasksrole = $taskstatic->getUserRolesForProjectsOrTasks(0, $usertoprocess, $project->id ? $project->id : 0, 0, $onlyopenedproject); //var_dump($tasksarray); //var_dump($projectsrole); //var_dump($taskrole); llxHeader("", $title, "");
if (! empty($projectstatic->socid)) $projectstatic->societe->fetch($projectstatic->socid); // To verify role of users //$userAccess = $projectstatic->restrictedProjectArea($user); // We allow task affected to user even if a not allowed project //$arrayofuseridoftask=$task->getListContactId('internal'); $head = task_prepare_head($task); dol_fiche_head($head, 'note', $langs->trans('Task'), 0, 'projecttask'); print '<table class="border" width="100%">'; //$linkback="<a href=\"".$_SERVER["PHP_SELF"]."?page=$page&socid=$socid&viewstatut=$viewstatut&sortfield=$sortfield&$sortorder\">".$langs->trans("BackToList")."</a>"; // Ref print '<tr><td width="30%">'.$langs->trans("Ref").'</td><td>'; $projectsListId = $project->getProjectsAuthorizedForUser($user,$mine,1); $task->next_prev_filter=" fk_projet in (".$projectsListId.")"; print $html->showrefnav($task,'id','',1,'rowid','ref','',''); print '</td></tr>'; // Label print '<tr><td>'.$langs->trans("Label").'</td><td>'.$task->label.'</td></tr>'; // Project print '<tr><td>'.$langs->trans("Project").'</td><td colspan="3">'; print $projectstatic->getNomUrl(1); print '</td></tr>'; // Third party print '<tr><td>'.$langs->trans("Company").'</td><td>'; if ($projectstatic->societe->id > 0) print $projectstatic->societe->getNomUrl(1);
if ($search_project_user > 0) $puser->fetch($search_project_user); if ($search_task_user > 0) $tuser->fetch($search_task_user); $title=$langs->trans("Activities"); if ($search_task_user == $user->id) $title=$langs->trans("MyActivities"); llxHeader("",$title,"Projet"); if ($id) { $projectstatic->fetch($id); $projectstatic->societe->fetch($projectstatic->societe->id); } // Get list of project id allowed to user (in a string list separated by coma) if (! $user->rights->projet->all->lire) $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1,$socid); //var_dump($projectsListId); // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype=array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; $sql.= " WHERE ctc.element = '" . $projectstatic->element . "'"; $sql.= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) { while($obj = $db->fetch_object($resql)) { $listofprojectcontacttype[$obj->rowid]=$obj->code; } }
/** * Check access by user to object * * @param User $user User to check * @param array $featuresarray Features/modules to check * @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional). * @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional) * @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'. * @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional) * @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional) * * @return bool True if user has access, False otherwise */ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid') { global $db, $conf; // More parameters $params = explode('&', $tableandshare); $dbtablename = !empty($params[0]) ? $params[0] : ''; $sharedelement = !empty($params[1]) ? $params[1] : $dbtablename; foreach ($featuresarray as $feature) { $sql = ''; $check = array('adherent', 'banque', 'user', 'usergroup', 'produit', 'service', 'produit|service', 'categorie'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet'); // Test for project object $nocheck = array('barcode', 'stock', 'fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) { $dbtablename = $feature; } // Check permission for object with entity if (in_array($feature, $check)) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " AND dbt.entity IS NOT NULL"; } else { $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (in_array($feature, $checksoc)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if ($user->societe_id != $objectid) { return false; } } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT sc.fk_soc"; $sql .= " FROM (" . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s)"; $sql .= " WHERE sc.fk_soc = " . $objectid; $sql .= " AND sc.fk_user = "******" AND sc.fk_soc = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT s.rowid"; $sql .= " FROM " . MAIN_DB_PREFIX . "societe as s"; $sql .= " WHERE s.rowid = " . $objectid; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkother)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.fk_soc = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '******'"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } else { if (!empty($conf->multicompany->enabled)) { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } else { if (in_array($feature, $checkproject)) { if (!empty($conf->projet->enabled) && !$user->rights->projet->all->lire) { include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php'; $projectstatic = new Project($db); $tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0); $tmparray = explode(',', $tmps); if (!in_array($objectid, $tmparray)) { return false; } } else { $sql = "SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } else { if (!in_array($feature, $nocheck)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if (empty($dbt_keyfield)) { dol_print_error('', 'Param dbt_keyfield is required but not defined'); } $sql = "SELECT dbt." . $dbt_keyfield; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt.rowid = " . $objectid; $sql .= " AND dbt." . $dbt_keyfield . " = " . $user->societe_id; } else { if (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { if (empty($dbt_keyfield)) { dol_print_error('', 'Param dbt_keyfield is required but not defined'); } $sql = "SELECT sc.fk_soc"; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= ", " . MAIN_DB_PREFIX . "societe as s"; $sql .= ", " . MAIN_DB_PREFIX . "societe_commerciaux as sc"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND sc.fk_soc = dbt." . $dbt_keyfield; $sql .= " AND dbt." . $dbt_keyfield . " = s.rowid"; $sql .= " AND s.entity IN (" . getEntity($sharedelement, 1) . ")"; $sql .= " AND sc.fk_user = "******"SELECT dbt." . $dbt_select; $sql .= " FROM " . MAIN_DB_PREFIX . $dbtablename . " as dbt"; $sql .= " WHERE dbt." . $dbt_select . " = " . $objectid; $sql .= " AND dbt.entity IN (" . getEntity($sharedelement, 1) . ")"; } } } } } } } } //print "sql=".$sql."<br>"; if ($sql) { $resql = $db->query($sql); if ($resql) { if ($db->num_rows($resql) == 0) { return false; } } else { return false; } } } return true; }
/** * Show a combo list with projects qualified for a third party * * @param int $socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) * @param int $selected Id project preselected * @param string $htmlname Nom de la zone html * @param int $maxlength Maximum length of label * @param int $option_only Option only * @param int $show_empty Add an empty line * @return int Nber of project if OK, <0 if KO */ function select_projects($socid = -1, $selected = '', $htmlname = 'projectid', $maxlength = 16, $option_only = 0, $show_empty = 1) { global $user, $conf, $langs; require_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php'; $out = ''; $hideunselectables = false; if (!empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) { $hideunselectables = true; } $projectsListId = false; if (empty($user->rights->projet->all->lire)) { $projectstatic = new Project($this->db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); } // Search all projects $sql = 'SELECT p.rowid, p.ref, p.title, p.fk_soc, p.fk_statut, p.public'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'projet as p'; $sql .= " WHERE p.entity = " . $conf->entity; if ($projectsListId !== false) { $sql .= " AND p.rowid IN (" . $projectsListId . ")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } if ($socid > 0) { $sql .= " AND (p.fk_soc=" . $socid . " OR p.fk_soc IS NULL)"; } $sql .= " ORDER BY p.ref ASC"; dol_syslog(get_class($this) . "::select_projects sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); if ($resql) { if (empty($option_only)) { $out .= '<select class="flat" name="' . $htmlname . '">'; } if (!empty($show_empty)) { $out .= '<option value="0"> </option>'; } $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { // Do nothing } else { $labeltoshow = dol_trunc($obj->ref, 18); //if ($obj->public) $labeltoshow.=' ('.$langs->trans("SharedProject").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; if (!empty($selected) && $selected == $obj->rowid && $obj->fk_statut > 0) { $out .= '<option value="' . $obj->rowid . '" selected="selected">' . $labeltoshow . ' - ' . dol_trunc($obj->title, $maxlength) . '</option>'; } else { $disabled = 0; $labeltoshow .= ' ' . dol_trunc($obj->title, $maxlength); if (!$obj->fk_statut > 0) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("Draft"); } if ($socid > 0 && (!empty($obj->fk_soc) && $obj->fk_soc != $socid)) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("LinkedToAnotherCompany"); } if ($hideunselectables && $disabled) { $resultat = ''; } else { $resultat = '<option value="' . $obj->rowid . '"'; if ($disabled) { $resultat .= ' disabled="disabled"'; } //if ($obj->public) $labeltoshow.=' ('.$langs->trans("Public").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; $resultat .= '>'; $resultat .= $labeltoshow; $resultat .= '</option>'; } $out .= $resultat; } } $i++; } } if (empty($option_only)) { $out .= '</select>'; } print $out; $this->db->free($resql); return $num; } else { dol_print_error($this->db); return -1; } }
/** * Load indicators for dashboard (this->nbtodo and this->nbtodolate) * * @param User $user Objet user * @return WorkboardResponse|int <0 if KO, WorkboardResponse if OK */ function load_board($user) { global $conf, $langs; $mine=0; $socid=$user->societe_id; $projectstatic = new Project($this->db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1,$socid); // List of tasks (does not care about permissions. Filtering will be done later) $sql = "SELECT p.rowid as projectid, p.fk_statut as projectstatus,"; $sql.= " t.rowid as taskid, t.progress as progress, t.fk_statut as status,"; $sql.= " t.dateo as date_start, t.datee as datee"; $sql.= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; if (! $user->rights->societe->client->voir && ! $socid) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = s.rowid"; $sql.= ", ".MAIN_DB_PREFIX."projet_task as t"; $sql.= " WHERE p.entity IN (".getEntity('project').')'; $sql.= " AND p.fk_statut = 1"; $sql.= " AND t.fk_projet = p.rowid"; $sql.= " AND t.progress < 100"; // tasks to do if ($mine || ! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsListId.")"; // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = "******") OR (s.rowid IS NULL))"; //print $sql; $resql=$this->db->query($sql); if ($resql) { $task_static = new Task($this->db); $response = new WorkboardResponse(); $response->warning_delay = $conf->projet->task->warning_delay/60/60/24; $response->label = $langs->trans("OpenedTasks"); if ($user->rights->projet->all->lire) $response->url = DOL_URL_ROOT.'/projet/tasks/list.php?mainmenu=project'; else $response->url = DOL_URL_ROOT.'/projet/tasks/list.php?mode=mine&mainmenu=project'; $response->img = img_object($langs->trans("Tasks"),"task"); // This assignment in condition is not a bug. It allows walking the results. while ($obj=$this->db->fetch_object($resql)) { $response->nbtodo++; $task_static->projectstatus = $obj->projectstatus; $task_static->progress = $obj->progress; $task_static->fk_statut = $obj->status; $task_static->datee = $this->db->jdate($obj->datee); if ($task_static->hasDelay()) { $response->nbtodolate++; } } return $response; } else { $this->error=$this->db->error(); return -1; } }
/** * Check permissions of a user to show a page and an object. Check read permission * If $_REQUEST['action'] defined, we also check write and delete permission. * @param user User to check * @param features Features to check (in most cases, it's module name) * @param objectid Object ID if we want to check permission on a particular record (optionnal) * @param dbtablename Table name where object is stored. Not used if objectid is null (optionnal) * @param feature2 Feature to check (second level of permission) * @param dbt_keyfield Field name for socid foreign key if not fk_soc. (optionnal) * @param dbt_select Field name for select if not rowid. (optionnal) * @return int Always 1, die process if not allowed */ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') { global $db, $conf; //dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename,$feature2,$dbt_socfield,$dbt_select"); if ($dbt_select != 'rowid') $objectid = "'".$objectid."'"; //print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid; //print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select; //print ", perm: ".$features."->".$feature2."=".$user->rights->$features->$feature2->lire."<br>"; // More features to check $features = explode("&",$features); //var_dump($features); // Check read permission from module // TODO Replace "feature" param by permission for reading $readok=1; foreach ($features as $feature) { if ($feature == 'societe') { if (! $user->rights->societe->lire && ! $user->rights->fournisseur->lire) $readok=0; } else if ($feature == 'contact') { if (! $user->rights->societe->contact->lire) $readok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->lire && ! $user->rights->service->lire) $readok=0; } else if ($feature == 'prelevement') { if (! $user->rights->prelevement->bons->lire) $readok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->lire) $readok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $readok=0; } else if ($feature == 'projet') { if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) $readok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->lire) && empty($user->rights->$feature->$feature2->read)) $readok=0; } else if (! empty($feature) && ($feature!='user' && $feature!='usergroup')) // This is for old permissions { if (empty($user->rights->$feature->lire) && empty($user->rights->$feature->read) && empty($user->rights->$feature->run)) $readok=0; } } if (! $readok) { //print "Read access is down"; accessforbidden(); } //print "Read access is ok"; // Check write permission from module $createok=1; if ( GETPOST("action") && GETPOST("action") == 'create') { foreach ($features as $feature) { if ($feature == 'contact') { if (! $user->rights->societe->contact->creer) $createok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->creer && ! $user->rights->service->creer) $createok=0; } else if ($feature == 'prelevement') { if (! $user->rights->prelevement->bons->creer) $createok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->creer) $createok=0; } else if ($feature == 'banque') { if (! $user->rights->banque->modifier) $createok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $createok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->creer) && empty($user->rights->$feature->$feature2->write)) $createok=0; } else if (! empty($feature)) // This is for old permissions { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; if (empty($user->rights->$feature->creer) && empty($user->rights->$feature->write)) $createok=0; } } if (! $createok) accessforbidden(); //print "Write access is ok"; } // Check create user permission $createuserok=1; if ( GETPOST("action") && (GETPOST("action") == 'confirm_create_user' && GETPOST("confirm") == 'yes') ) { if (! $user->rights->user->user->creer) $createuserok=0; if (! $createuserok) accessforbidden(); //print "Create user access is ok"; } // Check delete permission from module $deleteok=1; if ( GETPOST("action") && ( (GETPOST("action") == 'confirm_delete' && GETPOST("confirm") && GETPOST("confirm") == 'yes') || GETPOST("action") == 'delete') ) { foreach ($features as $feature) { if ($feature == 'contact') { if (! $user->rights->societe->contact->supprimer) $deleteok=0; } else if ($feature == 'produit|service') { if (! $user->rights->produit->supprimer && ! $user->rights->service->supprimer) $deleteok=0; } else if ($feature == 'commande_fournisseur') { if (! $user->rights->fournisseur->commande->supprimer) $deleteok=0; } else if ($feature == 'banque') { if (! $user->rights->banque->modifier) $deleteok=0; } else if ($feature == 'cheque') { if (! $user->rights->banque->cheque) $deleteok=0; } else if ($feature == 'ecm') { if (! $user->rights->ecm->upload) $deleteok=0; } else if ($feature == 'ftp') { if (! $user->rights->ftp->write) $deleteok=0; } else if (! empty($feature2)) // This should be used for future changes { if (empty($user->rights->$feature->$feature2->supprimer) && empty($user->rights->$feature->$feature2->delete)) $deleteok=0; } else if (! empty($feature)) // This is for old permissions { //print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete; if (empty($user->rights->$feature->supprimer) && empty($user->rights->$feature->delete)) $deleteok=0; } } //print "Delete access is ko"; if (! $deleteok) accessforbidden(); //print "Delete access is ok"; } // If we have a particular object to check permissions on, we check this object // is linked to a company allowed to $user. if (! empty($objectid) && $objectid > 0) { foreach ($features as $feature) { $sql=''; $check = array('banque','user','usergroup','produit','service','produit|service'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet'); // Test for project object $nocheck = array('categorie','barcode','stock','fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) $dbtablename = $feature; // Check permission for object with entity if (in_array($feature,$check)) { $sql = "SELECT dbt.".$dbt_select; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } else if (in_array($feature,$checksoc)) { // If external user: Check permission for external users if ($user->societe_id > 0) { if ($user->societe_id <> $objectid) accessforbidden(); } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT sc.fk_soc"; $sql.= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= ", ".MAIN_DB_PREFIX."societe as s)"; $sql.= " WHERE sc.fk_soc = ".$objectid; $sql.= " AND sc.fk_user = "******" AND sc.fk_soc = s.rowid"; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } // If multicompany and internal users with all permissions, check user is in correct entity else if ($conf->global->MAIN_MODULE_MULTICOMPANY) { $sql = "SELECT s.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql.= " WHERE s.rowid = ".$objectid; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } else if (in_array($feature,$checkother)) { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.fk_soc = ".$user->societe_id; } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '******'"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } // If multicompany and internal users with all permissions, check user is in correct entity else if ($conf->global->MAIN_MODULE_MULTICOMPANY) { $sql = "SELECT dbt.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } else if (in_array($feature,$checkproject)) { if (! $user->rights->projet->all->lire) { include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php"); $projectstatic=new Project($db); $tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id); $tmparray=explode(',',$tmps); if (! in_array($objectid,$tmparray)) accessforbidden(); } } else if (! in_array($feature,$nocheck)) // By default we check with link to third party { // If external user: Check permission for external users if ($user->societe_id > 0) { $sql = "SELECT dbt.".$dbt_keyfield; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.rowid = ".$objectid; $sql.= " AND dbt.".$dbt_keyfield." = ".$user->societe_id; } // If internal user: Check permission for internal users that are restricted on their objects else if (! $user->rights->societe->client->voir) { $sql = "SELECT sc.fk_soc"; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= ", ".MAIN_DB_PREFIX."societe as s"; $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql.= " AND dbt.".$dbt_keyfield." = s.rowid"; $sql.= " AND s.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; $sql.= " AND sc.fk_user = "******"SELECT dbt.".$dbt_select; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND dbt.entity IN (0,".(! empty($conf->entities[$dbtablename]) ? $conf->entities[$dbtablename] : $conf->entity).")"; } } //print $sql."<br>"; if ($sql) { $resql=$db->query($sql); if ($resql) { if ($db->num_rows($resql) == 0) accessforbidden(); } else { dol_syslog("functions.lib:restrictedArea sql=".$sql, LOG_ERR); accessforbidden(); } } } } return 1; }
$prev = dol_getdate($daytoparse - (24 * 3600)); $prev_year = $prev['year']; $prev_month = $prev['mon']; $prev_day = $prev['mday']; $next = dol_getdate($daytoparse + (24 * 3600)); $next_year = $next['year']; $next_month = $next['mon']; $next_day = $next['mday']; $title=$langs->trans("TimeSpent"); if ($mine) $title=$langs->trans("MyTimeSpent"); $usertoprocess = $user; $projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertoprocess,0,1); // Return all project i have permission on. I want my tasks and some of my task may be on a public projet that is not my project if ($id) { $project->fetch($id); $project->fetch_thirdparty(); } $onlyopenedproject=1; // or -1 $tasksarray=$taskstatic->getTasksArray(0, 0, ($project->id?$project->id:0), $socid, 0, '', $onlyopenedproject); // We want to see all task of opened project i am allowed to see, not only mine. Later only mine will be editable later. $projectsrole=$taskstatic->getUserRolesForProjectsOrTasks($usertoprocess, 0, ($project->id?$project->id:0), 0, $onlyopenedproject); $tasksrole=$taskstatic->getUserRolesForProjectsOrTasks(0, $usertoprocess, ($project->id?$project->id:0), 0, $onlyopenedproject); //var_dump($tasksarray); //var_dump($projectsrole); //var_dump($taskrole);
/** * \brief Show a combo list with projects qualified for a third party * \param socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) * \param selected Id project preselected * \param htmlname Nom de la zone html * \return int Nbre of project if OK, <0 if KO */ function select_projects($socid = -1, $selected = '', $htmlname = 'projectid') { global $db, $user, $conf, $langs; $projectstatic = new Project($db); $projectsListId = ''; if (empty($user->rights->projet->all->lire)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); } // On recherche les projets $sql = 'SELECT p.rowid, p.ref, p.title, p.fk_soc, p.fk_statut, p.public'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'projet as p'; $sql .= " WHERE p.entity = " . $conf->entity; if ($projectsListId) { $sql .= " AND p.rowid in (" . $projectsListId . ")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } //if ($socid > 0) $sql.= " AND (p.fk_soc=".$socid." OR p.fk_soc='0' OR p.fk_soc IS NULL)"; // We will filter later $sql .= " ORDER BY p.title ASC"; //print $sql; //var_dump($user->rights); dol_syslog("project.lib::select_projects sql=" . $sql); $resql = $db->query($sql); if ($resql) { print '<select class="flat" name="' . $htmlname . '">'; print '<option value="0"> </option>'; $num = $db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { $obj = $db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { // Do nothing } else { $labeltoshow = dol_trunc($obj->ref, 16); //if ($obj->public) $labeltoshow.=' ('.$langs->trans("SharedProject").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; if (!empty($selected) && $selected == $obj->rowid && $obj->fk_statut > 0) { print '<option value="' . $obj->rowid . '" selected="selected">' . $labeltoshow . '</option>'; } else { $disabled = 0; print '<option value="' . $obj->rowid . '"'; if (!$obj->fk_statut > 0) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("Draft"); } if ($socid > 0 && (!empty($obj->fk_soc) && $obj->fk_soc != $socid)) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("LinkedToAnotherCompany"); } if ($disabled == 1) { print ' disabled="true"'; } else { $labeltoshow .= ' - ' . dol_trunc($obj->title, 12); } //if ($obj->public) $labeltoshow.=' ('.$langs->trans("Public").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; print '>' . $labeltoshow . '</option>'; } } $i++; } } print '</select>'; $db->free($resql); return $num; } else { dol_print_error($db); return -1; } }
/** * Override de la fonction classique de la class FormProject * Show a combo list with projects qualified for a third party * * @param int $socid Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id) * @param int $selected Id project preselected * @param string $htmlname Nom de la zone html * @param int $maxlength Maximum length of label * @param int $option_only Option only * @param int $show_empty Add an empty line * @return string select or options if OK, void if KO */ function custom_select_projects($socid = -1, $selected = '', $htmlname = 'projectid', $type_aff = 'view', $maxlength = 25, $option_only = 0, $show_empty = 1) { global $user, $conf, $langs, $db; require_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php'; $out = ''; if ($type_aff == 'view') { if ($selected > 0) { $project = new Project($db); $project->fetch($selected); //return dol_trunc($project->ref,18).' - '.dol_trunc($project->title,$maxlength); return $project->getNomUrl(1) . ' - ' . dol_trunc($project->title, $maxlength); } else { return $out; } } $hideunselectables = false; if (!empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) { $hideunselectables = true; } $projectsListId = false; if (empty($user->rights->projet->all->lire)) { $projectstatic = new Project($db); $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); } // Search all projects $sql = 'SELECT p.rowid, p.ref, p.title, p.fk_soc, p.fk_statut, p.public'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'projet as p'; $sql .= " WHERE p.entity IN (" . getEntity('project', 1) . ")"; if ($projectsListId !== false) { $sql .= " AND p.rowid IN (" . $projectsListId . ")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } if ($socid > 0) { $sql .= " AND (p.fk_soc=" . $socid . " OR p.fk_soc IS NULL)"; } $sql .= " ORDER BY p.ref ASC"; $resql = $db->query($sql); if ($resql) { if (empty($option_only)) { $out .= '<select class="flat" name="' . $htmlname . '">'; } if (!empty($show_empty)) { $out .= '<option value="0"> </option>'; } $num = $db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { $obj = $db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { // Do nothing } else { $labeltoshow = dol_trunc($obj->ref, 18); //if ($obj->public) $labeltoshow.=' ('.$langs->trans("SharedProject").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; if (!empty($selected) && $selected == $obj->rowid && $obj->fk_statut > 0) { $out .= '<option value="' . $obj->rowid . '" selected="selected">' . $labeltoshow . ' - ' . dol_trunc($obj->title, $maxlength) . '</option>'; } else { $disabled = 0; $labeltoshow .= ' ' . dol_trunc($obj->title, $maxlength); if (!$obj->fk_statut > 0) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("Draft"); } if ($socid > 0 && (!empty($obj->fk_soc) && $obj->fk_soc != $socid)) { $disabled = 1; $labeltoshow .= ' - ' . $langs->trans("LinkedToAnotherCompany"); } if ($hideunselectables && $disabled) { $resultat = ''; } else { $resultat = '<option value="' . $obj->rowid . '"'; if ($disabled) { $resultat .= ' disabled="disabled"'; } //if ($obj->public) $labeltoshow.=' ('.$langs->trans("Public").')'; //else $labeltoshow.=' ('.$langs->trans("Private").')'; $resultat .= '>'; $resultat .= $labeltoshow; $resultat .= '</option>'; } $out .= $resultat; } } $i++; } } if (empty($option_only)) { $out .= '</select>'; } if ($conf->cliacropose->enabled) { // TODO c'est naze, à refaire en utilisant la vraie autocompletion dispo depuis dolibarr 3.8 pour utiliser l'auto complete projets de doli si active (j'avais rajouté un script ajax/projects.php pour acropose) // Autocomplétion if (isset($selected)) { $p = new Project($db); $p->fetch($selected); $selected_value = $p->ref; } $out = ajax_autocompleter($selected, $htmlname, DOL_URL_ROOT . '/projet/ajax/projects.php', $urloption, 1); $out .= '<input type="text" size="20" name="search_' . $htmlname . '" id="search_' . $htmlname . '" value="' . $selected_value . '"' . $placeholder . ' />'; } $db->free($resql); return $out; } else { dol_print_error($db); return ''; } }