PageRenderTime 50ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/htdocs/core/lib/security.lib.php

http://github.com/Dolibarr/dolibarr
PHP | 872 lines | 654 code | 59 blank | 159 comment | 314 complexity | 98b90091f989bb2408b145532808c581 MD5 | raw file
Possible License(s): GPL-2.0, AGPL-3.0, LGPL-2.0, CC-BY-SA-4.0, BSD-3-Clause, MPL-2.0-no-copyleft-exception, LGPL-3.0, GPL-3.0, LGPL-2.1, MIT 
    

  1. <?php
    2. 

  2. /* Copyright (C) 2008-2021 Laurent Destailleur  <eldy@users.sourceforge.net>
    3. 

  3.  * Copyright (C) 2008-2021 Regis Houssin        <regis.houssin@inodbox.com>
    4. 

  4.  * Copyright (C) 2020	   Ferran Marcet        <fmarcet@2byte.es>
    5. 

  5.  *
    6. 

  6.  * This program is free software; you can redistribute it and/or modify
    7. 

  7.  * it under the terms of the GNU General Public License as published by
    8. 

  8.  * the Free Software Foundation; either version 3 of the License, or
    9. 

  9.  * (at your option) any later version.
    10. 

  10.  *
    11. 

  11.  * This program is distributed in the hope that it will be useful,
    12. 

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14.  * GNU General Public License for more details.
    15. 

  15.  *
    16. 

  16.  * You should have received a copy of the GNU General Public License
    17. 

  17.  * along with this program. If not, see <https://www.gnu.org/licenses/>.
    18. 

  18.  * or see https://www.gnu.org/
    19. 

  19.  */
    20. 

  20. 

  21. /**
    22. 

  22.  *  \file		htdocs/core/lib/security.lib.php
    23. 

  23.  *  \ingroup    core
    24. 

  24.  *  \brief		Set of function used for dolibarr security (common function included into filefunc.inc.php)
    25. 

  25.  *  			Warning, this file must not depends on other library files, except function.lib.php
    26. 

  26.  *  			because it is used at low code level.
    27. 

  27.  */
    28. 

  28. 

  29. 

  30. /**
    31. 

  31.  *	Encode a string with base 64 algorithm + specific delta change.
    32. 

  32.  *
    33. 

  33.  *	@param   string		$chain		string to encode
    34. 

  34.  *	@param   string		$key		rule to use for delta ('0', '1' or 'myownkey')
    35. 

  35.  *	@return  string					encoded string
    36. 

  36.  *  @see dol_decode()
    37. 

  37.  */
    38. 

  38. function dol_encode($chain, $key = '1')
    39. 

  39. {
    40. 

  40. 	if (is_numeric($key) && $key == '1') {	// rule 1 is offset of 17 for char
    41. 

  41. 		$output_tab = array();
    42. 

  42. 		$strlength = dol_strlen($chain);
    43. 

  43. 		for ($i = 0; $i < $strlength; $i++) {
    44. 

  44. 			$output_tab[$i] = chr(ord(substr($chain, $i, 1)) + 17);
    45. 

  45. 		}
    46. 

  46. 		$chain = implode("", $output_tab);
    47. 

  47. 	} elseif ($key) {
    48. 

  48. 		$result = '';
    49. 

  49. 		$strlength = dol_strlen($chain);
    50. 

  50. 		for ($i = 0; $i < $strlength; $i++) {
    51. 

  51. 			$keychar = substr($key, ($i % strlen($key)) - 1, 1);
    52. 

  52. 			$result .= chr(ord(substr($chain, $i, 1)) + (ord($keychar) - 65));
    53. 

  53. 		}
    54. 

  54. 		$chain = $result;
    55. 

  55. 	}
    56. 

  56. 

  57. 	return base64_encode($chain);
    58. 

  58. }
    59. 

  59. 

  60. /**
    61. 

  61.  *	Decode a base 64 encoded + specific delta change.
    62. 

  62.  *  This function is called by filefunc.inc.php at each page call.
    63. 

  63.  *
    64. 

  64.  *	@param   string		$chain		string to decode
    65. 

  65.  *	@param   string		$key		rule to use for delta ('0', '1' or 'myownkey')
    66. 

  66.  *	@return  string					decoded string
    67. 

  67.  *  @see dol_encode()
    68. 

  68.  */
    69. 

  69. function dol_decode($chain, $key = '1')
    70. 

  70. {
    71. 

  71. 	$chain = base64_decode($chain);
    72. 

  72. 

  73. 	if (is_numeric($key) && $key == '1') {	// rule 1 is offset of 17 for char
    74. 

  74. 		$output_tab = array();
    75. 

  75. 		$strlength = dol_strlen($chain);
    76. 

  76. 		for ($i = 0; $i < $strlength; $i++) {
    77. 

  77. 			$output_tab[$i] = chr(ord(substr($chain, $i, 1)) - 17);
    78. 

  78. 		}
    79. 

  79. 

  80. 		$chain = implode("", $output_tab);
    81. 

  81. 	} elseif ($key) {
    82. 

  82. 		$result = '';
    83. 

  83. 		$strlength = dol_strlen($chain);
    84. 

  84. 		for ($i = 0; $i < $strlength; $i++) {
    85. 

  85. 			$keychar = substr($key, ($i % strlen($key)) - 1, 1);
    86. 

  86. 			$result .= chr(ord(substr($chain, $i, 1)) - (ord($keychar) - 65));
    87. 

  87. 		}
    88. 

  88. 		$chain = $result;
    89. 

  89. 	}
    90. 

  90. 

  91. 	return $chain;
    92. 

  92. }
    93. 

  93. 

  94. /**
    95. 

  95.  * 	Returns a hash of a string.
    96. 

  96.  *  If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function (recommanded value is 'password_hash')
    97. 

  97.  *  If constant MAIN_SECURITY_SALT is defined, we use it as a salt (used only if hashing algorightm is something else than 'password_hash').
    98. 

  98.  *
    99. 

  99.  * 	@param 		string		$chain		String to hash
    100. 

  100.  * 	@param		string		$type		Type of hash ('0':auto will use MAIN_SECURITY_HASH_ALGO else md5, '1':sha1, '2':sha1+md5, '3':md5, '4':md5 for OpenLdap with no salt, '5':sha256, '6':password_hash). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'.
    101. 

  101.  * 	@return		string					Hash of string
    102. 

  102.  *  @see getRandomPassword()
    103. 

  103.  */
    104. 

  104. function dol_hash($chain, $type = '0')
    105. 

  105. {
    106. 

  106. 	global $conf;
    107. 

  107. 

  108. 	// No need to add salt for password_hash
    109. 

  109. 	if (($type == '0' || $type == 'auto') && !empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists('password_hash')) {
    110. 

  110. 		return password_hash($chain, PASSWORD_DEFAULT);
    111. 

  111. 	}
    112. 

  112. 

  113. 	// Salt value
    114. 

  114. 	if (!empty($conf->global->MAIN_SECURITY_SALT) && $type != '4' && $type !== 'md5openldap') {
    115. 

  115. 		$chain = $conf->global->MAIN_SECURITY_SALT.$chain;
    116. 

  116. 	}
    117. 

  117. 

  118. 	if ($type == '1' || $type == 'sha1') {
    119. 

  119. 		return sha1($chain);
    120. 

  120. 	} elseif ($type == '2' || $type == 'sha1md5') {
    121. 

  121. 		return sha1(md5($chain));
    122. 

  122. 	} elseif ($type == '3' || $type == 'md5') {
    123. 

  123. 		return md5($chain);
    124. 

  124. 	} elseif ($type == '4' || $type == 'md5openldap') {
    125. 

  125. 		return '{md5}'.base64_encode(pack("H*", md5($chain))); // For OpenLdap with md5 (based on an unencrypted password in base)
    126. 

  126. 	} elseif ($type == '5' || $type == 'sha256') {
    127. 

  127. 		return hash('sha256', $chain);
    128. 

  128. 	} elseif ($type == '6' || $type == 'password_hash') {
    129. 

  129. 		return password_hash($chain, PASSWORD_DEFAULT);
    130. 

  130. 	} elseif (!empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1') {
    131. 

  131. 		return sha1($chain);
    132. 

  132. 	} elseif (!empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1md5') {
    133. 

  133. 		return sha1(md5($chain));
    134. 

  134. 	}
    135. 

  135. 

  136. 	// No particular encoding defined, use default
    137. 

  137. 	return md5($chain);
    138. 

  138. }
    139. 

  139. 

  140. /**
    141. 

  141.  * 	Compute a hash and compare it to the given one
    142. 

  142.  *  For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5
    143. 

  143.  *  If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.
    144. 

  144.  *  If constant MAIN_SECURITY_SALT is defined, we use it as a salt.
    145. 

  145.  *
    146. 

  146.  * 	@param 		string		$chain		String to hash (not hashed string)
    147. 

  147.  * 	@param 		string		$hash		hash to compare
    148. 

  148.  * 	@param		string		$type		Type of hash ('0':auto, '1':sha1, '2':sha1+md5, '3':md5, '4':md5 for OpenLdap, '5':sha256). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'.
    149. 

  149.  * 	@return		bool					True if the computed hash is the same as the given one
    150. 

  150.  */
    151. 

  151. function dol_verifyHash($chain, $hash, $type = '0')
    152. 

  152. {
    153. 

  153. 	global $conf;
    154. 

  154. 

  155. 	if ($type == '0' && !empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists('password_verify')) {
    156. 

  156. 		if ($hash[0] == '$') {
    157. 

  157. 			return password_verify($chain, $hash);
    158. 

  158. 		} elseif (strlen($hash) == 32) {
    159. 

  159. 			return dol_verifyHash($chain, $hash, '3'); // md5
    160. 

  160. 		} elseif (strlen($hash) == 40) {
    161. 

  161. 			return dol_verifyHash($chain, $hash, '2'); // sha1md5
    162. 

  162. 		}
    163. 

  163. 

  164. 		return false;
    165. 

  165. 	}
    166. 

  166. 

  167. 	return dol_hash($chain, $type) == $hash;
    168. 

  168. }
    169. 

  169. 

  170. /**
    171. 

  171.  *	Check permissions of a user to show a page and an object. Check read permission.
    172. 

  172.  * 	If GETPOST('action','aZ09') defined, we also check write and delete permission.
    173. 

  173.  *  This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).
    174. 

  174.  *
    175. 

  175.  *	@param	User	$user      	  	User to check
    176. 

  176.  *	@param  string	$features	    Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
    177. 

  177.  *									Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
    178. 

  178.  *									This is used to check permission $user->rights->features->...
    179. 

  179.  *	@param  int		$objectid      	Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
    180. 

  180.  *	@param  string	$tableandshare  'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
    181. 

  181.  *	@param  string	$feature2		Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
    182. 

  182.  *									This is used to check permission $user->rights->features->feature2...
    183. 

  183.  *  @param  string	$dbt_keyfield   Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
    184. 

  184.  *  @param  string	$dbt_select     Field name for select if not rowid. Not used if objectid is null (optional)
    185. 

  185.  *  @param	int		$isdraft		1=The object with id=$objectid is a draft
    186. 

  186.  *  @param	int		$mode			Mode (0=default, 1=return with not die)
    187. 

  187.  * 	@return	int						If mode = 0 (default): Always 1, die process if not allowed. If mode = 1: Return 0 if access not allowed.
    188. 

  188.  *  @see dol_check_secure_access_document(), checkUserAccessToObject()
    189. 

  189.  */
    190. 

  190. function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid', $isdraft = 0, $mode = 0)
    191. 

  191. {
    192. 

  192. 	global $db, $conf;
    193. 

  193. 	global $hookmanager;
    194. 

  194. 

  195. 	//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
    196. 

  196. 	//print "user_id=".$user->id.", features=".$features.", feature2=".$feature2.", objectid=".$objectid;
    197. 

  197. 	//print ", dbtablename=".$dbtablename.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select;
    198. 

  198. 	//print ", perm: ".$features."->".$feature2."=".($user->rights->$features->$feature2->lire)."<br>";
    199. 

  199. 

  200. 	$parentfortableentity = '';
    201. 

  201. 

  202. 	// Fix syntax of $features param
    203. 

  203. 	$originalfeatures = $features;
    204. 

  204. 	if ($features == 'facturerec') {
    205. 

  205. 		$features = 'facture';
    206. 

  206. 	}
    207. 

  207. 	if ($features == 'mo') {
    208. 

  208. 		$features = 'mrp';
    209. 

  209. 	}
    210. 

  210. 	if ($features == 'member') {
    211. 

  211. 		$features = 'adherent';
    212. 

  212. 	}
    213. 

  213. 	if ($features == 'subscription') {
    214. 

  214. 		$features = 'adherent';
    215. 

  215. 		$feature2 = 'cotisation';
    216. 

  216. 	};
    217. 

  217. 	if ($features == 'websitepage') {
    218. 

  218. 		$features = 'website';
    219. 

  219. 		$tableandshare = 'website_page';
    220. 

  220. 		$parentfortableentity = 'fk_website@website';
    221. 

  221. 	}
    222. 

  222. 	if ($features == 'project') {
    223. 

  223. 		$features = 'projet';
    224. 

  224. 	}
    225. 

  225. 	if ($features == 'product') {
    226. 

  226. 		$features = 'produit';
    227. 

  227. 	}
    228. 

  228. 

  229. 	// Get more permissions checks from hooks
    230. 

  230. 	$parameters = array('features'=>$features, 'originalfeatures'=>$originalfeatures, 'objectid'=>$objectid, 'dbt_select'=>$dbt_select, 'idtype'=>$dbt_select, 'isdraft'=>$isdraft);
    231. 

  231. 	$reshook = $hookmanager->executeHooks('restrictedArea', $parameters);
    232. 

  232. 

  233. 	if (isset($hookmanager->resArray['result'])) {
    234. 

  234. 		if ($hookmanager->resArray['result'] == 0) {
    235. 

  235. 			if ($mode) {
    236. 

  236. 				return 0;
    237. 

  237. 			} else {
    238. 

  238. 				accessforbidden(); // Module returns 0, so access forbidden
    239. 

  239. 			}
    240. 

  240. 		}
    241. 

  241. 	}
    242. 

  242. 	if ($reshook > 0) {		// No other test done.
    243. 

  243. 		return 1;
    244. 

  244. 	}
    245. 

  245. 

  246. 	if ($dbt_select != 'rowid' && $dbt_select != 'id') {
    247. 

  247. 		$objectid = "'".$objectid."'";
    248. 

  248. 	}
    249. 

  249. 

  250. 	// Features/modules to check
    251. 

  251. 	$featuresarray = array($features);
    252. 

  252. 	if (preg_match('/&/', $features)) {
    253. 

  253. 		$featuresarray = explode("&", $features);
    254. 

  254. 	} elseif (preg_match('/\|/', $features)) {
    255. 

  255. 		$featuresarray = explode("|", $features);
    256. 

  256. 	}
    257. 

  257. 

  258. 	// More subfeatures to check
    259. 

  259. 	if (!empty($feature2)) {
    260. 

  260. 		$feature2 = explode("|", $feature2);
    261. 

  261. 	}
    262. 

  262. 

  263. 	$listofmodules = explode(',', $conf->global->MAIN_MODULES_FOR_EXTERNAL);
    264. 

  264. 

  265. 	// Check read permission from module
    266. 

  266. 	$readok = 1;
    267. 

  267. 	$nbko = 0;
    268. 

  268. 	foreach ($featuresarray as $feature) {	// first we check nb of test ko
    269. 

  269. 		$featureforlistofmodule = $feature;
    270. 

  270. 		if ($featureforlistofmodule == 'produit') {
    271. 

  271. 			$featureforlistofmodule = 'product';
    272. 

  272. 		}
    273. 

  273. 		if (!empty($user->socid) && !empty($conf->global->MAIN_MODULES_FOR_EXTERNAL) && !in_array($featureforlistofmodule, $listofmodules)) {	// If limits on modules for external users, module must be into list of modules for external users
    274. 

  274. 			$readok = 0;
    275. 

  275. 			$nbko++;
    276. 

  276. 			continue;
    277. 

  277. 		}
    278. 

  278. 

  279. 		if ($feature == 'societe') {
    280. 

  280. 			if (empty($user->rights->societe->lire) && empty($user->rights->fournisseur->lire)) {
    281. 

  281. 				$readok = 0;
    282. 

  282. 				$nbko++;
    283. 

  283. 			}
    284. 

  284. 		} elseif ($feature == 'contact') {
    285. 

  285. 			if (empty($user->rights->societe->contact->lire)) {
    286. 

  286. 				$readok = 0;
    287. 

  287. 				$nbko++;
    288. 

  288. 			}
    289. 

  289. 		} elseif ($feature == 'produit|service') {
    290. 

  290. 			if (!$user->rights->produit->lire && !$user->rights->service->lire) {
    291. 

  291. 				$readok = 0;
    292. 

  292. 				$nbko++;
    293. 

  293. 			}
    294. 

  294. 		} elseif ($feature == 'prelevement') {
    295. 

  295. 			if (!$user->rights->prelevement->bons->lire) {
    296. 

  296. 				$readok = 0;
    297. 

  297. 				$nbko++;
    298. 

  298. 			}
    299. 

  299. 		} elseif ($feature == 'cheque') {
    300. 

  300. 			if (empty($user->rights->banque->cheque)) {
    301. 

  301. 				$readok = 0;
    302. 

  302. 				$nbko++;
    303. 

  303. 			}
    304. 

  304. 		} elseif ($feature == 'projet') {
    305. 

  305. 			if (!$user->rights->projet->lire && empty($user->rights->projet->all->lire)) {
    306. 

  306. 				$readok = 0;
    307. 

  307. 				$nbko++;
    308. 

  308. 			}
    309. 

  309. 		} elseif ($feature == 'payment') {
    310. 

  310. 			if (!$user->rights->facture->lire) {
    311. 

  311. 				$readok = 0;
    312. 

  312. 				$nbko++;
    313. 

  313. 			}
    314. 

  314. 		} elseif ($feature == 'payment_supplier') {
    315. 

  315. 			if (empty($user->rights->fournisseur->facture->lire)) {
    316. 

  316. 				$readok = 0;
    317. 

  317. 				$nbko++;
    318. 

  318. 			}
    319. 

  319. 		} elseif (!empty($feature2)) { 													// This is for permissions on 2 levels
    320. 

  320. 			$tmpreadok = 1;
    321. 

  321. 			foreach ($feature2 as $subfeature) {
    322. 

  322. 				if ($subfeature == 'user' && $user->id == $objectid) {
    323. 

  323. 					continue; // A user can always read its own card
    324. 

  324. 				}
    325. 

  325. 				if (!empty($subfeature) && empty($user->rights->$feature->$subfeature->lire) && empty($user->rights->$feature->$subfeature->read)) {
    326. 

  326. 					$tmpreadok = 0;
    327. 

  327. 				} elseif (empty($subfeature) && empty($user->rights->$feature->lire) && empty($user->rights->$feature->read)) {
    328. 

  328. 					$tmpreadok = 0;
    329. 

  329. 				} else {
    330. 

  330. 					$tmpreadok = 1;
    331. 

  331. 					break;
    332. 

  332. 				} // Break is to bypass second test if the first is ok
    333. 

  333. 			}
    334. 

  334. 			if (!$tmpreadok) {	// We found a test on feature that is ko
    335. 

  335. 				$readok = 0; // All tests are ko (we manage here the and, the or will be managed later using $nbko).
    336. 

  336. 				$nbko++;
    337. 

  337. 			}
    338. 

  338. 		} elseif (!empty($feature) && ($feature != 'user' && $feature != 'usergroup')) {		// This is permissions on 1 level
    339. 

  339. 			if (empty($user->rights->$feature->lire)
    340. 

  340. 				&& empty($user->rights->$feature->read)
    341. 

  341. 				&& empty($user->rights->$feature->run)) {
    342. 

  342. 				$readok = 0;
    343. 

  343. 				$nbko++;
    344. 

  344. 			}
    345. 

  345. 		}
    346. 

  346. 	}
    347. 

  347. 

  348. 	// If a or and at least one ok
    349. 

  349. 	if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
    350. 

  350. 		$readok = 1;
    351. 

  351. 	}
    352. 

  352. 

  353. 	if (!$readok) {
    354. 

  354. 		if ($mode) {
    355. 

  355. 			return 0;
    356. 

  356. 		} else {
    357. 

  357. 			accessforbidden();
    358. 

  358. 		}
    359. 

  359. 	}
    360. 

  360. 	//print "Read access is ok";
    361. 

  361. 

  362. 	// Check write permission from module (we need to know write permission to create but also to delete drafts record or to upload files)
    363. 

  363. 	$createok = 1;
    364. 

  364. 	$nbko = 0;
    365. 

  365. 	$wemustcheckpermissionforcreate = (GETPOST('sendit', 'alpha') || GETPOST('linkit', 'alpha') || in_array(GETPOST('action', 'aZ09'), array('create', 'update', 'add_element_resource', 'confirm_delete_linked_resource')) || GETPOST('roworder', 'alpha', 2));
    366. 

  366. 	$wemustcheckpermissionfordeletedraft = ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete');
    367. 

  367. 

  368. 	if ($wemustcheckpermissionforcreate || $wemustcheckpermissionfordeletedraft) {
    369. 

  369. 		foreach ($featuresarray as $feature) {
    370. 

  370. 			if ($feature == 'contact') {
    371. 

  371. 				if (empty($user->rights->societe->contact->creer)) {
    372. 

  372. 					$createok = 0;
    373. 

  373. 					$nbko++;
    374. 

  374. 				}
    375. 

  375. 			} elseif ($feature == 'produit|service') {
    376. 

  376. 				if (empty($user->rights->produit->creer) && empty($user->rights->service->creer)) {
    377. 

  377. 					$createok = 0;
    378. 

  378. 					$nbko++;
    379. 

  379. 				}
    380. 

  380. 			} elseif ($feature == 'prelevement') {
    381. 

  381. 				if (!$user->rights->prelevement->bons->creer) {
    382. 

  382. 					$createok = 0;
    383. 

  383. 					$nbko++;
    384. 

  384. 				}
    385. 

  385. 			} elseif ($feature == 'commande_fournisseur') {
    386. 

  386. 				if (empty($user->rights->fournisseur->commande->creer) || empty($user->rights->supplier_order->creer)) {
    387. 

  387. 					$createok = 0;
    388. 

  388. 					$nbko++;
    389. 

  389. 				}
    390. 

  390. 			} elseif ($feature == 'banque') {
    391. 

  391. 				if (empty($user->rights->banque->modifier)) {
    392. 

  392. 					$createok = 0;
    393. 

  393. 					$nbko++;
    394. 

  394. 				}
    395. 

  395. 			} elseif ($feature == 'cheque') {
    396. 

  396. 				if (empty($user->rights->banque->cheque)) {
    397. 

  397. 					$createok = 0;
    398. 

  398. 					$nbko++;
    399. 

  399. 				}
    400. 

  400. 			} elseif ($feature == 'import') {
    401. 

  401. 				if (empty($user->rights->import->run)) {
    402. 

  402. 					$createok = 0;
    403. 

  403. 					$nbko++;
    404. 

  404. 				}
    405. 

  405. 			} elseif ($feature == 'ecm') {
    406. 

  406. 				if (!$user->rights->ecm->upload) {
    407. 

  407. 					$createok = 0;
    408. 

  408. 					$nbko++;
    409. 

  409. 				}
    410. 

  410. 			} elseif (!empty($feature2)) {														// This is for permissions on one level
    411. 

  411. 				foreach ($feature2 as $subfeature) {
    412. 

  412. 					if ($subfeature == 'user' && $user->id == $objectid && $user->rights->user->self->creer) {
    413. 

  413. 						continue; // User can edit its own card
    414. 

  414. 					}
    415. 

  415. 					if ($subfeature == 'user' && $user->id == $objectid && $user->rights->user->self->password) {
    416. 

  416. 						continue; // User can edit its own password
    417. 

  417. 					}
    418. 

  418. 					if ($subfeature == 'user' && $user->id != $objectid && $user->rights->user->user->password) {
    419. 

  419. 						continue; // User can edit another user's password
    420. 

  420. 					}
    421. 

  421. 

  422. 					if (empty($user->rights->$feature->$subfeature->creer)
    423. 

  423. 					&& empty($user->rights->$feature->$subfeature->write)
    424. 

  424. 					&& empty($user->rights->$feature->$subfeature->create)) {
    425. 

  425. 						$createok = 0;
    426. 

  426. 						$nbko++;
    427. 

  427. 					} else {
    428. 

  428. 						$createok = 1;
    429. 

  429. 						// Break to bypass second test if the first is ok
    430. 

  430. 						break;
    431. 

  431. 					}
    432. 

  432. 				}
    433. 

  433. 			} elseif (!empty($feature)) {												// This is for permissions on 2 levels ('creer' or 'write')
    434. 

  434. 				//print '<br>feature='.$feature.' creer='.$user->rights->$feature->creer.' write='.$user->rights->$feature->write; exit;
    435. 

  435. 				if (empty($user->rights->$feature->creer)
    436. 

  436. 				&& empty($user->rights->$feature->write)
    437. 

  437. 				&& empty($user->rights->$feature->create)) {
    438. 

  438. 					$createok = 0;
    439. 

  439. 					$nbko++;
    440. 

  440. 				}
    441. 

  441. 			}
    442. 

  442. 		}
    443. 

  443. 

  444. 		// If a or and at least one ok
    445. 

  445. 		if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
    446. 

  446. 			$createok = 1;
    447. 

  447. 		}
    448. 

  448. 

  449. 		if ($wemustcheckpermissionforcreate && !$createok) {
    450. 

  450. 			if ($mode) {
    451. 

  451. 				return 0;
    452. 

  452. 			} else {
    453. 

  453. 				accessforbidden();
    454. 

  454. 			}
    455. 

  455. 		}
    456. 

  456. 		//print "Write access is ok";
    457. 

  457. 	}
    458. 

  458. 

  459. 	// Check create user permission
    460. 

  460. 	$createuserok = 1;
    461. 

  461. 	if (GETPOST('action', 'aZ09') == 'confirm_create_user' && GETPOST("confirm", 'aZ09') == 'yes') {
    462. 

  462. 		if (!$user->rights->user->user->creer) {
    463. 

  463. 			$createuserok = 0;
    464. 

  464. 		}
    465. 

  465. 

  466. 		if (!$createuserok) {
    467. 

  467. 			if ($mode) {
    468. 

  468. 				return 0;
    469. 

  469. 			} else {
    470. 

  470. 				accessforbidden();
    471. 

  471. 			}
    472. 

  472. 		}
    473. 

  473. 		//print "Create user access is ok";
    474. 

  474. 	}
    475. 

  475. 

  476. 	// Check delete permission from module
    477. 

  477. 	$deleteok = 1;
    478. 

  478. 	$nbko = 0;
    479. 

  479. 	if ((GETPOST("action", "aZ09") == 'confirm_delete' && GETPOST("confirm", "aZ09") == 'yes') || GETPOST("action", "aZ09") == 'delete') {
    480. 

  480. 		foreach ($featuresarray as $feature) {
    481. 

  481. 			if ($feature == 'contact') {
    482. 

  482. 				if (!$user->rights->societe->contact->supprimer) {
    483. 

  483. 					$deleteok = 0;
    484. 

  484. 				}
    485. 

  485. 			} elseif ($feature == 'produit|service') {
    486. 

  486. 				if (!$user->rights->produit->supprimer && !$user->rights->service->supprimer) {
    487. 

  487. 					$deleteok = 0;
    488. 

  488. 				}
    489. 

  489. 			} elseif ($feature == 'commande_fournisseur') {
    490. 

  490. 				if (!$user->rights->fournisseur->commande->supprimer) {
    491. 

  491. 					$deleteok = 0;
    492. 

  492. 				}
    493. 

  493. 			} elseif ($feature == 'payment_supplier') {	// Permission to delete a payment of an invoice is permission to edit an invoice.
    494. 

  494. 				if (!$user->rights->fournisseur->facture->creer) {
    495. 

  495. 					$deleteok = 0;
    496. 

  496. 				}
    497. 

  497. 			} elseif ($feature == 'payment') {	// Permission to delete a payment of an invoice is permission to edit an invoice.
    498. 

  498. 				if (!$user->rights->facture->creer) {
    499. 

  499. 						$deleteok = 0;
    500. 

  500. 				}
    501. 

  501. 			} elseif ($feature == 'banque') {
    502. 

  502. 				if (empty($user->rights->banque->modifier)) {
    503. 

  503. 					$deleteok = 0;
    504. 

  504. 				}
    505. 

  505. 			} elseif ($feature == 'cheque') {
    506. 

  506. 				if (empty($user->rights->banque->cheque)) {
    507. 

  507. 					$deleteok = 0;
    508. 

  508. 				}
    509. 

  509. 			} elseif ($feature == 'ecm') {
    510. 

  510. 				if (!$user->rights->ecm->upload) {
    511. 

  511. 					$deleteok = 0;
    512. 

  512. 				}
    513. 

  513. 			} elseif ($feature == 'ftp') {
    514. 

  514. 				if (!$user->rights->ftp->write) {
    515. 

  515. 					$deleteok = 0;
    516. 

  516. 				}
    517. 

  517. 			} elseif ($feature == 'salaries') {
    518. 

  518. 				if (!$user->rights->salaries->delete) {
    519. 

  519. 					$deleteok = 0;
    520. 

  520. 				}
    521. 

  521. 			} elseif ($feature == 'adherent') {
    522. 

  522. 				if (empty($user->rights->adherent->supprimer)) {
    523. 

  523. 					$deleteok = 0;
    524. 

  524. 				}
    525. 

  525. 			} elseif (!empty($feature2)) {							// This is for permissions on 2 levels
    526. 

  526. 				foreach ($feature2 as $subfeature) {
    527. 

  527. 					if (empty($user->rights->$feature->$subfeature->supprimer) && empty($user->rights->$feature->$subfeature->delete)) {
    528. 

  528. 						$deleteok = 0;
    529. 

  529. 					} else {
    530. 

  530. 						$deleteok = 1;
    531. 

  531. 						break;
    532. 

  532. 					} // For bypass the second test if the first is ok
    533. 

  533. 				}
    534. 

  534. 			} elseif (!empty($feature)) {							// This is used for permissions on 1 level
    535. 

  535. 				//print '<br>feature='.$feature.' creer='.$user->rights->$feature->supprimer.' write='.$user->rights->$feature->delete;
    536. 

  536. 				if (empty($user->rights->$feature->supprimer)
    537. 

  537. 					&& empty($user->rights->$feature->delete)
    538. 

  538. 					&& empty($user->rights->$feature->run)) {
    539. 

  539. 					$deleteok = 0;
    540. 

  540. 				}
    541. 

  541. 			}
    542. 

  542. 		}
    543. 

  543. 

  544. 		// If a or and at least one ok
    545. 

  545. 		if (preg_match('/\|/', $features) && $nbko < count($featuresarray)) {
    546. 

  546. 			$deleteok = 1;
    547. 

  547. 		}
    548. 

  548. 

  549. 		if (!$deleteok && !($isdraft && $createok)) {
    550. 

  550. 			if ($mode) {
    551. 

  551. 				return 0;
    552. 

  552. 			} else {
    553. 

  553. 				accessforbidden();
    554. 

  554. 			}
    555. 

  555. 		}
    556. 

  556. 		//print "Delete access is ok";
    557. 

  557. 	}
    558. 

  558. 

  559. 	// If we have a particular object to check permissions on, we check if $user has permission
    560. 

  560. 	// for this given object (link to company, is contact for project, ...)
    561. 

  561. 	if (!empty($objectid) && $objectid > 0) {
    562. 

  562. 		$ok = checkUserAccessToObject($user, $featuresarray, $objectid, $tableandshare, $feature2, $dbt_keyfield, $dbt_select, $parentfortableentity);
    563. 

  563. 		$params = array('objectid' => $objectid, 'features' => join(',', $featuresarray), 'features2' => $feature2);
    564. 

  564. 		//print 'checkUserAccessToObject ok='.$ok;
    565. 

  565. 		if ($mode) {
    566. 

  566. 			return $ok ? 1 : 0;
    567. 

  567. 		} else {
    568. 

  568. 			return $ok ? 1 : accessforbidden('', 1, 1, 0, $params);
    569. 

  569. 		}
    570. 

  570. 	}
    571. 

  571. 

  572. 	return 1;
    573. 

  573. }
    574. 

  574. 

  575. /**
    576. 

  576.  * Check access by user to object is ok.
    577. 

  577.  * This function is also called by restrictedArea that check before if module is enabled and if permission of user for $action is ok.
    578. 

  578.  *
    579. 

  579.  * @param User			$user					User to check
    580. 

  580.  * @param array			$featuresarray			Features/modules to check. Example: ('user','service','member','project','task',...)
    581. 

  581.  * @param int|string	$objectid				Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
    582. 

  582.  * @param string		$tableandshare			'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany modume. Param not used if objectid is null (optional).
    583. 

  583.  * @param string		$feature2				Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
    584. 

  584.  * @param string		$dbt_keyfield			Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
    585. 

  585.  * @param string		$dbt_select				Field name for select if not rowid. Not used if objectid is null (optional)
    586. 

  586.  * @param string		$parenttableforentity  	Parent table for entity. Example 'fk_website@website'
    587. 

  587.  * @return	bool								True if user has access, False otherwise
    588. 

  588.  * @see restrictedArea()
    589. 

  589.  */
    590. 

  590. function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $tableandshare = '', $feature2 = '', $dbt_keyfield = '', $dbt_select = 'rowid', $parenttableforentity = '')
    591. 

  591. {
    592. 

  592. 	global $db, $conf;
    593. 

  593. 

  594. 	//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
    595. 

  595. 	//print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid;
    596. 

  596. 	//print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."<br>";
    597. 

  597. 

  598. 	// More parameters
    599. 

  599. 	$params = explode('&', $tableandshare);
    600. 

  600. 	$dbtablename = (!empty($params[0]) ? $params[0] : '');
    601. 

  601. 	$sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename);
    602. 

  602. 

  603. 	foreach ($featuresarray as $feature) {
    604. 

  604. 		$sql = '';
    605. 

  605. 

  606. 		//var_dump($feature);
    607. 

  607. 

  608. 		// For backward compatibility
    609. 

  609. 		if ($feature == 'member') {
    610. 

  610. 			$feature = 'adherent';
    611. 

  611. 		}
    612. 

  612. 		if ($feature == 'project') {
    613. 

  613. 			$feature = 'projet';
    614. 

  614. 		}
    615. 

  615. 		if ($feature == 'task') {
    616. 

  616. 			$feature = 'projet_task';
    617. 

  617. 		}
    618. 

  618. 

  619. 		$check = array('adherent', 'banque', 'bom', 'don', 'mrp', 'user', 'usergroup', 'payment', 'payment_supplier', 'product', 'produit', 'service', 'produit|service', 'categorie', 'resource', 'expensereport', 'holiday', 'salaries', 'website'); // Test on entity only (Objects with no link to company)
    620. 

  620. 		$checksoc = array('societe'); // Test for societe object
    621. 

  621. 		$checkother = array('contact', 'agenda'); // Test on entity + link to third party on field $dbt_keyfield. Allowed if link is empty (Ex: contacts...).
    622. 

  622. 		$checkproject = array('projet', 'project'); // Test for project object
    623. 

  623. 		$checktask = array('projet_task'); // Test for task object
    624. 

  624. 		$nocheck = array('barcode', 'stock'); // No test
    625. 

  625. 		//$checkdefault = 'all other not already defined'; // Test on entity + link to third party on field $dbt_keyfield. Not allowed if link is empty (Ex: invoice, orders...).
    626. 

  626. 

  627. 		// If dbtablename not defined, we use same name for table than module name
    628. 

  628. 		if (empty($dbtablename)) {
    629. 

  629. 			$dbtablename = $feature;
    630. 

  630. 			$sharedelement = (!empty($params[1]) ? $params[1] : $dbtablename); // We change dbtablename, so we set sharedelement too.
    631. 

  631. 		}
    632. 

  632. 

  633. 		// Check permission for object on entity only
    634. 

  634. 		if (in_array($feature, $check)) {
    635. 

  635. 			$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    636. 

  636. 			$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    637. 

  637. 			if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled)) {	// Special for multicompany
    638. 

  638. 				if (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
    639. 

  639. 					if ($conf->entity == 1 && $user->admin && !$user->entity) {
    640. 

  640. 						$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    641. 

  641. 						$sql .= " AND dbt.entity IS NOT NULL";
    642. 

  642. 					} else {
    643. 

  643. 						$sql .= ",".MAIN_DB_PREFIX."usergroup_user as ug";
    644. 

  644. 						$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    645. 

  645. 						$sql .= " AND ((ug.fk_user = dbt.rowid";
    646. 

  646. 						$sql .= " AND ug.entity IN (".getEntity('usergroup')."))";
    647. 

  647. 						$sql .= " OR dbt.entity = 0)"; // Show always superadmin
    648. 

  648. 					}
    649. 

  649. 				} else {
    650. 

  650. 					$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    651. 

  651. 					$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    652. 

  652. 				}
    653. 

  653. 			} else {
    654. 

  654. 				$reg = array();
    655. 

  655. 				if ($parenttableforentity && preg_match('/(.*)@(.*)/', $parenttableforentity, $reg)) {
    656. 

  656. 					$sql .= ", ".MAIN_DB_PREFIX.$reg[2]." as dbtp";
    657. 

  657. 					$sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    658. 

  658. 					$sql .= " AND dbtp.entity IN (".getEntity($sharedelement, 1).")";
    659. 

  659. 				} else {
    660. 

  660. 					$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    661. 

  661. 					$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    662. 

  662. 				}
    663. 

  663. 			}
    664. 

  664. 		} elseif (in_array($feature, $checksoc)) {	// We check feature = checksoc
    665. 

  665. 			// If external user: Check permission for external users
    666. 

  666. 			if ($user->socid > 0) {
    667. 

  667. 				if ($user->socid <> $objectid) {
    668. 

  668. 					return false;
    669. 

  669. 				}
    670. 

  670. 			} elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && empty($user->rights->societe->client->voir))) {
    671. 

  671. 				// If internal user: Check permission for internal users that are restricted on their objects
    672. 

  672. 				$sql = "SELECT COUNT(sc.fk_soc) as nb";
    673. 

  673. 				$sql .= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
    674. 

  674. 				$sql .= ", ".MAIN_DB_PREFIX."societe as s)";
    675. 

  675. 				$sql .= " WHERE sc.fk_soc IN (".$db->sanitize($objectid, 1).")";
    676. 

  676. 				$sql .= " AND sc.fk_user = ".((int) $user->id);
    677. 

  677. 				$sql .= " AND sc.fk_soc = s.rowid";
    678. 

  678. 				$sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
    679. 

  679. 			} elseif (!empty($conf->multicompany->enabled)) {
    680. 

  680. 				// If multicompany and internal users with all permissions, check user is in correct entity
    681. 

  681. 				$sql = "SELECT COUNT(s.rowid) as nb";
    682. 

  682. 				$sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
    683. 

  683. 				$sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")";
    684. 

  684. 				$sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
    685. 

  685. 			}
    686. 

  686. 		} elseif (in_array($feature, $checkother)) {	// Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
    687. 

  687. 			// If external user: Check permission for external users
    688. 

  688. 			if ($user->socid > 0) {
    689. 

  689. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    690. 

  690. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    691. 

  691. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    692. 

  692. 				$sql .= " AND dbt.fk_soc = ".((int) $user->socid);
    693. 

  693. 			} elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && empty($user->rights->societe->client->voir))) {
    694. 

  694. 				// If internal user: Check permission for internal users that are restricted on their objects
    695. 

  695. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    696. 

  696. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    697. 

  697. 				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
    698. 

  698. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    699. 

  699. 				$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
    700. 

  700. 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    701. 

  701. 			} elseif (!empty($conf->multicompany->enabled)) {
    702. 

  702. 				// If multicompany and internal users with all permissions, check user is in correct entity
    703. 

  703. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    704. 

  704. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    705. 

  705. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    706. 

  706. 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    707. 

  707. 			}
    708. 

  708. 			if ($feature == 'agenda') {
    709. 

  709. 				// Also check owner or attendee for users without allactions->read
    710. 

  710. 				if ($objectid > 0 && empty($user->rights->agenda->allactions->read)) {
    711. 

  711. 					require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
    712. 

  712. 					$action = new ActionComm($db);
    713. 

  713. 					$action->fetch($objectid);
    714. 

  714. 					if ($action->authorid != $user->id && $action->userownerid != $user->id && !(array_key_exists($user->id, $action->userassigned))) {
    715. 

  715. 						return false;
    716. 

  716. 					}
    717. 

  717. 				}
    718. 

  718. 			}
    719. 

  719. 		} elseif (in_array($feature, $checkproject)) {
    720. 

  720. 			if (!empty($conf->projet->enabled) && empty($user->rights->projet->all->lire)) {
    721. 

  721. 				include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
    722. 

  722. 				$projectstatic = new Project($db);
    723. 

  723. 				$tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
    724. 

  724. 

  725. 				$tmparray = explode(',', $tmps);
    726. 

  726. 				if (!in_array($objectid, $tmparray)) {
    727. 

  727. 					return false;
    728. 

  728. 				}
    729. 

  729. 			} else {
    730. 

  730. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    731. 

  731. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    732. 

  732. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    733. 

  733. 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    734. 

  734. 			}
    735. 

  735. 		} elseif (in_array($feature, $checktask)) {
    736. 

  736. 			if (!empty($conf->projet->enabled) && empty($user->rights->projet->all->lire)) {
    737. 

  737. 				$task = new Task($db);
    738. 

  738. 				$task->fetch($objectid);
    739. 

  739. 

  740. 				include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
    741. 

  741. 				$projectstatic = new Project($db);
    742. 

  742. 				$tmps = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1, 0);
    743. 

  743. 				$tmparray = explode(',', $tmps);
    744. 

  744. 				if (!in_array($task->fk_project, $tmparray)) {
    745. 

  745. 					return false;
    746. 

  746. 				}
    747. 

  747. 			} else {
    748. 

  748. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    749. 

  749. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    750. 

  750. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    751. 

  751. 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    752. 

  752. 			}
    753. 

  753. 		} elseif (!in_array($feature, $nocheck)) {		// By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
    754. 

  754. 			// If external user: Check permission for external users
    755. 

  755. 			if ($user->socid > 0) {
    756. 

  756. 				if (empty($dbt_keyfield)) {
    757. 

  757. 					dol_print_error('', 'Param dbt_keyfield is required but not defined');
    758. 

  758. 				}
    759. 

  759. 				$sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb";
    760. 

  760. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    761. 

  761. 				$sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")";
    762. 

  762. 				$sql .= " AND dbt.".$dbt_keyfield." = ".((int) $user->socid);
    763. 

  763. 			} elseif (!empty($conf->societe->enabled) && empty($user->rights->societe->client->voir)) {
    764. 

  764. 				// If internal user: Check permission for internal users that are restricted on their objects
    765. 

  765. 				if ($feature != 'ticket') {
    766. 

  766. 					if (empty($dbt_keyfield)) {
    767. 

  767. 						dol_print_error('', 'Param dbt_keyfield is required but not defined');
    768. 

  768. 					}
    769. 

  769. 					$sql = "SELECT COUNT(sc.fk_soc) as nb";
    770. 

  770. 					$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    771. 

  771. 					$sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
    772. 

  772. 					$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    773. 

  773. 					$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    774. 

  774. 					$sql .= " AND sc.fk_soc = dbt.".$dbt_keyfield;
    775. 

  775. 					$sql .= " AND sc.fk_user = ".((int) $user->id);
    776. 

  776. 				} else {
    777. 

  777. 					// On ticket, the thirdparty is not mandatory, so we need a special test to accept record with no thirdparties.
    778. 

  778. 					$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    779. 

  779. 					$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    780. 

  780. 					$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = dbt.".$dbt_keyfield." AND sc.fk_user = ".((int) $user->id);
    781. 

  781. 					$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    782. 

  782. 					$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    783. 

  783. 					$sql .= " AND (sc.fk_user = ".((int) $user->id)." OR sc.fk_user IS NULL)";
    784. 

  784. 				}
    785. 

  785. 			} elseif (!empty($conf->multicompany->enabled)) {
    786. 

  786. 				// If multicompany and internal users with all permissions, check user is in correct entity
    787. 

  787. 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
    788. 

  788. 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
    789. 

  789. 				$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
    790. 

  790. 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
    791. 

  791. 			}
    792. 

  792. 		}
    793. 

  793. 		//print $sql;
    794. 

  794. 

  795. 		if ($sql) {
    796. 

  796. 			$resql = $db->query($sql);
    797. 

  797. 			if ($resql) {
    798. 

  798. 				$obj = $db->fetch_object($resql);
    799. 

  799. 				if (!$obj || $obj->nb < count(explode(',', $objectid))) {
    800. 

  800. 					return false;
    801. 

  801. 				}
    802. 

  802. 			} else {
    803. 

  803. 				dol_syslog("Bad forged sql in checkUserAccessToObject", LOG_WARNING);
    804. 

  804. 				return false;
    805. 

  805. 			}
    806. 

  806. 		}
    807. 

  807. 	}
    808. 

  808. 

  809. 	return true;
    810. 

  810. }
    811. 

  811. 

  812. /**
    813. 

  813.  *	Show a message to say access is forbidden and stop program
    814. 

  814.  *	Calling this function terminate execution of PHP.
    815. 

  815.  *
    816. 

  816.  *	@param	string		$message			Force error message
    817. 

  817.  *	@param	int			$printheader		Show header before
    818. 

  818.  *  @param  int			$printfooter        Show footer after
    819. 

  819.  *  @param  int			$showonlymessage    Show only message parameter. Otherwise add more information.
    820. 

  820.  *  @param  array|null  $params         	More parameters provided to hook
    821. 

  821.  *  @return	void
    822. 

  822.  */
    823. 

  823. function accessforbidden($message = '', $printheader = 1, $printfooter = 1, $showonlymessage = 0, $params = null)
    824. 

  824. {
    825. 

  825. 	global $conf, $db, $user, $langs, $hookmanager;
    826. 

  826. 	if (!is_object($langs)) {
    827. 

  827. 		include_once DOL_DOCUMENT_ROOT.'/core/class/translate.class.php';
    828. 

  828. 		$langs = new Translate('', $conf);
    829. 

  829. 		$langs->setDefaultLang();
    830. 

  830. 	}
    831. 

  831. 

  832. 	$langs->load("errors");
    833. 

  833. 

  834. 	if ($printheader) {
    835. 

  835. 		if (function_exists("llxHeader")) {
    836. 

  836. 			llxHeader('');
    837. 

  837. 		} elseif (function_exists("llxHeaderVierge")) {
    838. 

  838. 			llxHeaderVierge('');
    839. 

  839. 		}
    840. 

  840. 	}
    841. 

  841. 	print '<div class="error">';
    842. 

  842. 	if (!$message) {
    843. 

  843. 		print $langs->trans("ErrorForbidden");
    844. 

  844. 	} else {
    845. 

  845. 		print $message;
    846. 

  846. 	}
    847. 

  847. 	print '</div>';
    848. 

  848. 	print '<br>';
    849. 

  849. 	if (empty($showonlymessage)) {
    850. 

  850. 		global $action, $object;
    851. 

  851. 		if (empty($hookmanager)) {
    852. 

  852. 			$hookmanager = new HookManager($db);
    853. 

  853. 			// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
    854. 

  854. 			$hookmanager->initHooks(array('main'));
    855. 

  855. 		}
    856. 

  856. 		$parameters = array('message'=>$message, 'params'=>$params);
    857. 

  857. 		$reshook = $hookmanager->executeHooks('getAccessForbiddenMessage', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
    858. 

  858. 		print $hookmanager->resPrint;
    859. 

  859. 		if (empty($reshook)) {
    860. 

  860. 			if ($user->login) {
    861. 

  861. 				print $langs->trans("CurrentLogin").': <span class="error">'.$user->login.'</span><br>';
    862. 

  862. 				print $langs->trans("ErrorForbidden2", $langs->transnoentitiesnoconv("Home"), $langs->transnoentitiesnoconv("Users"));
    863. 

  863. 			} else {
    864. 

  864. 				print $langs->trans("ErrorForbidden3");
    865. 

  865. 			}
    866. 

  866. 		}
    867. 

  867. 	}
    868. 

  868. 	if ($printfooter && function_exists("llxFooter")) {
    869. 

  869. 		llxFooter();
    870. 

  870. 	}
    871. 

  871. 	exit(0);
    872. 

  872. }
    873. 

  873.