* Copyright (C) 2002-2003 Jean-Louis Bergamo * Copyright (C) 2004-2020 Laurent Destailleur * Copyright (C) 2004 Eric Seigne * Copyright (C) 2005-2017 Regis Houssin * Copyright (C) 2012 Juanjo Menent * Copyright (C) 2020 Tobias Sekan * Copyright (C) 2024 MDW * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ /** * \file htdocs/user/perms.php * \brief Page to set permission of a user record */ if (!defined('CSRFCHECK_WITH_TOKEN')) { define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET } // Load Dolibarr environment require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; // Load translation files required by page $langs->loadLangs(array('users', 'admin')); $id = GETPOSTINT('id'); $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $module = GETPOST('module', 'alpha'); $rights = GETPOSTINT('rights'); $updatedmodulename = GETPOST('updatedmodulename', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ? GETPOST('contextpage', 'aZ') : 'userperms'; // To manage different context of search if (!isset($id) || empty($id)) { accessforbidden(); } // Define if user can read permissions $canreaduser = ($user->admin || $user->hasRight("user", "user", "read")); // Define if user can modify other users and permissions $caneditperms = ($user->admin || $user->hasRight("user", "user", "write")); // Advanced permissions if (getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { $canreaduser = ($user->admin || ($user->hasRight("user", "user", "read") && $user->hasRight("user", "user_advance", "readperms"))); $caneditselfperms = ($user->id == $id && $user->hasRight("user", "self_advance", "writeperms")); $caneditperms = (($caneditperms || $caneditselfperms) ? 1 : 0); } // Security check $socid = 0; if (isset($user->socid) && $user->socid > 0) { $socid = $user->socid; } $feature2 = (($socid && $user->hasRight("user", "self", "write")) ? '' : 'user'); // A user can always read its own card if not advanced perms enabled, or if he has advanced perms, except for admin if ($user->id == $id && (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && !$user->hasRight("user", "self_advance", "readperms") && empty($user->admin))) { accessforbidden(); } // Initialize a technical object to manage hooks of page. Note that conf->hooks_modules contains an array of hook context $hookmanager->initHooks(array('usercard', 'userperms', 'globalcard')); $result = restrictedArea($user, 'user', $id, 'user&user', $feature2); if ($user->id != $id && !$canreaduser) { accessforbidden(); } $object = new User($db); $object->fetch($id, '', '', 1); $object->loadRights(); $entity = $conf->entity; /* * Actions */ $parameters = array('socid' => $socid); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } if (empty($reshook)) { if ($action == 'addrights' && $caneditperms && $confirm == 'yes') { $edituser = new User($db); $edituser->fetch($object->id); $result = $edituser->addrights($rights, $module, '', $entity); if ($result < 0) { setEventMessages($edituser->error, $edituser->errors, 'errors'); } // If we are changing our own permissions, we reload permissions and menu if ($object->id == $user->id) { $user->clearrights(); $user->loadRights(); // @phan-suppress-next-line PhanRedefinedClassReference $menumanager->loadMenu(); } $object->clearrights(); $object->loadRights(); } if ($action == 'delrights' && $caneditperms && $confirm == 'yes') { $edituser = new User($db); $edituser->fetch($object->id); $result = $edituser->delrights($rights, $module, '', $entity); if ($result < 0) { setEventMessages($edituser->error, $edituser->errors, 'errors'); } // If we are changing our own permissions, we reload permissions and menu if ($object->id == $user->id) { $user->clearrights(); $user->loadRights(); // @phan-suppress-next-line PhanRedefinedClassReference $menumanager->loadMenu(); } $object->clearrights(); $object->loadRights(); } } /* * View */ $form = new Form($db); $person_name = !empty($object->firstname) ? $object->lastname.", ".$object->firstname : $object->lastname; $title = $person_name." - ".$langs->trans('Permissions'); $help_url = ''; llxHeader('', $title, $help_url, '', 0, 0, '', '', '', 'mod-user page-card_perms'); $head = user_prepare_head($object); $title = $langs->trans("User"); print dol_get_fiche_head($head, 'rights', $title, -1, 'user'); $db->begin(); // Search all modules with permission and reload permissions def. $modules = array(); $modulesdir = dolGetModulesDirs(); foreach ($modulesdir as $dir) { $handle = @opendir(dol_osencode($dir)); if (is_resource($handle)) { while (($file = readdir($handle)) !== false) { if (is_readable($dir.$file) && substr($file, 0, 3) == 'mod' && substr($file, dol_strlen($file) - 10) == '.class.php') { $modName = substr($file, 0, dol_strlen($file) - 10); if ($modName) { include_once $dir.$file; $objMod = new $modName($db); // Load all lang files of module if (isset($objMod->langfiles) && is_array($objMod->langfiles)) { foreach ($objMod->langfiles as $domain) { $langs->load($domain); } } // Load all permissions if ($objMod->rights_class) { $ret = $objMod->insert_permissions(0, $entity); $modules[$objMod->rights_class] = $objMod; //print "modules[".$objMod->rights_class."]=$objMod;"; } } } } } } $db->commit(); '@phan-var-force DolibarrModules[] $modules'; // Read permissions of edited user $permsuser = array(); $sql = "SELECT DISTINCT ur.fk_id"; $sql .= " FROM ".MAIN_DB_PREFIX."user_rights as ur"; $sql .= " WHERE ur.entity = ".((int) $entity); $sql .= " AND ur.fk_user = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); $result = $db->query($sql); if ($result) { $num = $db->num_rows($result); $i = 0; while ($i < $num) { $obj = $db->fetch_object($result); array_push($permsuser, $obj->fk_id); $i++; } $db->free($result); } else { dol_print_error($db); } // Read the permissions of a user inherited by its groups $permsgroupbyentity = array(); $sql = "SELECT DISTINCT gr.fk_id, gu.entity"; // fk_id are permission id and entity is entity of the group $sql .= " FROM ".MAIN_DB_PREFIX."usergroup_rights as gr,"; $sql .= " ".MAIN_DB_PREFIX."usergroup_user as gu"; // all groups of a user $sql .= " WHERE gr.entity = ".((int) $entity); // The entity on the table gu=usergroup_user should be useless and should never be used because it is already into gr and r. // but when using MULTICOMPANY_TRANSVERSE_MODE, we may have inserted record that make rubbish result here due to the duplicate record of // other entities, so we are forced to add a filter on gu here $sql .= " AND gu.entity IN (0,".$conf->entity.")"; $sql .= " AND gr.fk_usergroup = gu.fk_usergroup"; $sql .= " AND gu.fk_user = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); $result = $db->query($sql); if ($result) { $num = $db->num_rows($result); $i = 0; while ($i < $num) { $obj = $db->fetch_object($result); if (!isset($permsgroupbyentity[$obj->entity])) { $permsgroupbyentity[$obj->entity] = array(); } array_push($permsgroupbyentity[$obj->entity], $obj->fk_id); $i++; } $db->free($result); } else { dol_print_error($db); } /* * Part to add/remove permissions */ $linkback = ''; if ($user->hasRight("user", "user", "read") || $user->admin) { $linkback = ''.$langs->trans("BackToList").''; } $morehtmlref = ''; $morehtmlref .= img_picto($langs->trans("Download").' '.$langs->trans("VCard"), 'vcard.png', 'class="valignmiddle marginleftonly paddingrightonly"'); $morehtmlref .= ''; $urltovirtualcard = '/user/virtualcard.php?id='.((int) $object->id); $morehtmlref .= dolButtonToOpenUrlInDialogPopup('publicvirtualcard', $langs->transnoentitiesnoconv("PublicVirtualCardUrl").' - '.$object->getFullName($langs), img_picto($langs->trans("PublicVirtualCardUrl"), 'card', 'class="valignmiddle marginleftonly paddingrightonly"'), $urltovirtualcard, '', 'nohover'); dol_banner_tab($object, 'id', $linkback, $user->hasRight("user", "user", "read") || $user->admin, 'rowid', 'ref', $morehtmlref); print '
'; print '
'; print ''; // Login print ''; if (!empty($object->ldap_sid) && $object->statut == 0) { print ''; } else { print ''; } print ''."\n"; // Type print ''."\n"; print '
'.$langs->trans("Login").''; print $langs->trans("LoginAccountDisableInDolibarr"); print ''; $addadmin = ''; if (property_exists($object, 'admin')) { if (isModEnabled('multicompany') && !empty($object->admin) && empty($object->entity)) { $addadmin .= img_picto($langs->trans("SuperAdministratorDesc"), "redstar", 'class="paddingleft"'); } elseif (!empty($object->admin)) { $addadmin .= img_picto($langs->trans("AdministratorDesc"), "star", 'class="paddingleft"'); } } print showValueWithClipboardCPButton($object->login).$addadmin; print '
'; $text = $langs->trans("Type"); print $form->textwithpicto($text, $langs->trans("InternalExternalDesc")); print ''; $type = $langs->trans("Internal"); if ($object->socid > 0) { $type = $langs->trans("External"); } print ''; print $type; if ($object->ldap_sid) { print ' ('.$langs->trans("DomainUser").')'; } print ''; print '
'; print '
'; print '
'; if ($user->admin) { print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules")); } // If edited user is an extern user, we show warning for external users if (!empty($object->socid)) { print info_admin(showModulesExludedForExternal($modules))."\n"; } $parameters = array('permsgroupbyentity' => $permsgroupbyentity); $reshook = $hookmanager->executeHooks('insertExtraHeader', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } $listofexpandedmodules = array(); print "\n"; print '
'; print ''; print ''; print ''; if ($caneditperms) { print ''; } else { print ''; } print ''; //print ''; print ''; print ''."\n"; // Fix bad value for module_position in table // ------------------------------------------ $sql = "SELECT r.id, r.libelle as label, r.module, r.perms, r.subperms, r.module_position, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" $sql .= " AND r.entity = ".((int) $entity); $sql .= " ORDER BY r.family_position, r.module_position, r.module, r.id"; $result = $db->query($sql); if ($result) { $num = $db->num_rows($result); $i = 0; $oldmod = ''; while ($i < $num) { $obj = $db->fetch_object($result); // If line is for a module that does not exist anymore (absent of includes/module), we ignore it if (!isset($obj->module) || empty($modules[$obj->module])) { $i++; continue; } // Special cases if (isModEnabled("reception")) { // The 2 permissions in fournisseur modules are replaced by permissions into reception module if ($obj->module == 'fournisseur' && $obj->perms == 'commande' && $obj->subperms == 'receptionner') { $i++; continue; } if ($obj->module == 'fournisseur' && $obj->perms == 'commande_advance' && $obj->subperms == 'check') { $i++; continue; } } $objMod = $modules[$obj->module]; // Save field module_position in database if value is wrong if (empty($obj->module_position) || (is_object($objMod) && $objMod->isCoreOrExternalModule() == 'external' && $obj->module_position < 100000)) { if (is_object($modules[$obj->module]) && ($modules[$obj->module]->module_position > 0)) { // TODO Define familyposition //$familyposition = $modules[$obj->module]->family_position; $familyposition = 0; $newmoduleposition = $modules[$obj->module]->module_position; // Correct $newmoduleposition position for external modules $objMod = $modules[$obj->module]; if (is_object($objMod) && $objMod->isCoreOrExternalModule() == 'external' && $newmoduleposition < 100000) { $newmoduleposition += 100000; } $sqlupdate = 'UPDATE '.MAIN_DB_PREFIX."rights_def SET module_position = ".((int) $newmoduleposition).","; $sqlupdate .= " family_position = ".((int) $familyposition); $sqlupdate .= " WHERE module_position = ".((int) $obj->module_position)." AND module = '".$db->escape($obj->module)."'"; $db->query($sqlupdate); } } } } //print "xx".$conf->global->MAIN_USE_ADVANCED_PERMS; $sql = "SELECT r.id, r.libelle as label, r.module, r.perms, r.subperms, r.module_position, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" $sql .= " AND r.entity = ".((int) $entity); if (!getDolGlobalString('MAIN_USE_ADVANCED_PERMS')) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled } $sql .= " ORDER BY r.family_position, r.module_position, r.module, r.id"; $result = $db->query($sql); if ($result) { $num = $db->num_rows($result); $i = 0; $j = 0; $oldmod = ''; $cookietohidegroup = (empty($_COOKIE["DOLUSER_PERMS_HIDE_GRP"]) ? '' : preg_replace('/^,/', '', $_COOKIE["DOLUSER_PERMS_HIDE_GRP"])); $cookietohidegrouparray = explode(',', $cookietohidegroup); //var_dump($cookietohidegrouparray); while ($i < $num) { $obj = $db->fetch_object($result); // If line is for a module that does not exist anymore (absent of includes/module), we ignore it if (empty($modules[$obj->module])) { $i++; continue; } // Special cases if (isModEnabled("reception")) { // The 2 permission in fournisseur modules has been replaced by permissions into reception module if ($obj->module == 'fournisseur' && $obj->perms == 'commande' && $obj->subperms == 'receptionner') { $i++; continue; } if ($obj->module == 'fournisseur' && $obj->perms == 'commande_advance' && $obj->subperms == 'check') { $i++; continue; } } $objMod = $modules[$obj->module]; // Save field module_position in database if value is wrong /* if (empty($obj->module_position) || (is_object($objMod) && $objMod->isCoreOrExternalModule() == 'external' && $obj->module_position < 100000)) { if (is_object($modules[$obj->module]) && ($modules[$obj->module]->module_position > 0)) { // TODO Define familyposition //$familyposition = $modules[$obj->module]->family_position; $familyposition = 0; $newmoduleposition = $modules[$obj->module]->module_position; // Correct $newmoduleposition position for external modules $objMod = $modules[$obj->module]; if (is_object($objMod) && $objMod->isCoreOrExternalModule() == 'external' && $newmoduleposition < 100000) { $newmoduleposition += 100000; } $sqlupdate = 'UPDATE '.MAIN_DB_PREFIX."rights_def SET module_position = ".((int) $newmoduleposition).","; $sqlupdate .= " family_position = ".((int) $familyposition); $sqlupdate .= " WHERE module_position = ".((int) $obj->module_position)." AND module = '".$db->escape($obj->module)."'"; $db->query($sqlupdate); } } */ if (GETPOSTISSET('forbreakperms_'.$obj->module)) { $ishidden = GETPOSTINT('forbreakperms_'.$obj->module); } elseif (in_array($j, $cookietohidegrouparray)) { // If j is among list of hidden group $ishidden = 1; } else { $ishidden = 0; } $isexpanded = ! $ishidden; //var_dump("isexpanded=".$isexpanded); $permsgroupbyentitypluszero = array(); if (!empty($permsgroupbyentity[0])) { $permsgroupbyentitypluszero = array_merge($permsgroupbyentitypluszero, $permsgroupbyentity[0]); } if (!empty($permsgroupbyentity[$entity])) { $permsgroupbyentitypluszero = array_merge($permsgroupbyentitypluszero, $permsgroupbyentity[$entity]); } //var_dump($permsgroupbyentitypluszero); // Break found, it's a new module to catch if (isset($obj->module) && ($oldmod != $obj->module)) { $oldmod = $obj->module; $j++; if (GETPOSTISSET('forbreakperms_'.$obj->module)) { $ishidden = GETPOSTINT('forbreakperms_'.$obj->module); } elseif (in_array($j, $cookietohidegrouparray)) { // If j is among list of hidden group $ishidden = 1; } else { $ishidden = 0; } $isexpanded = ! $ishidden; //var_dump('$obj->module='.$obj->module.' isexpanded='.$isexpanded); // Break detected, we get objMod $objMod = $modules[$obj->module]; $picto = ($objMod->picto ? $objMod->picto : 'generic'); // Show break line print ''; // Picto and label of module print ''; // Permission and tick (2 columns) if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->admin)) { if ($caneditperms) { print ''; print ''; } else { print ''; print ''; } } else { if ($caneditperms) { print ''; print ''; } else { print ''; print ''; } } // Description of permission (2 columns) print ''; print ''; //Add picto + / - when open en closed print ''."\n"; } print ''."\n"; print ''; // Picto and label of module print ''; // Permission and tick (2 columns) if (!empty($object->admin) && !empty($objMod->rights_admin_allowed)) { // Permission granted because admin print ''; if ($caneditperms) { print ''; } else { print ''; } print ''; } elseif (in_array($obj->id, $permsuser)) { // Permission granted by user print ''; if ($caneditperms) { print ''; } else { print ''; } print ''; } elseif (isset($permsgroupbyentitypluszero) && is_array($permsgroupbyentitypluszero)) { print ''; if (in_array($obj->id, $permsgroupbyentitypluszero)) { // Permission granted by group print ''; print ''; } else { // Do not own permission if ($caneditperms) { print ''; } else { print ''; } print ''; } } else { // Do not own permission print ''; if ($caneditperms) { print ''; } else { print ''; } print ''; } // Description of permission (2 columns) $permlabel = (getDolGlobalString('MAIN_USE_ADVANCED_PERMS') && ($langs->trans("PermissionAdvanced".$obj->id) != "PermissionAdvanced".$obj->id) ? $langs->trans("PermissionAdvanced".$obj->id) : (($langs->trans("Permission".$obj->id) != "Permission".$obj->id) ? $langs->trans("Permission".$obj->id) : $langs->trans($obj->label))); if (!$user->admin) { print ''; // Permission id if ($user->admin) { print ''; } print ''."\n"; $i++; } } else { dol_print_error($db); } print '
'.$langs->trans("Module").''; print ''.$langs->trans("All").""; print ' / '; print ''.$langs->trans("None").""; print ''; print ''.img_picto('', 'folder-open', 'class="paddingright"').''.$langs->trans("ExpandAll").''; print ' | '; print ''.img_picto('', 'folder', 'class="paddingright"').''.$langs->trans("UndoExpandAll").''; print '
'; print ''; print img_object('', $picto, 'class="pictoobjectwidth paddingright"').' '.$objMod->getName(); print ''; print ''; print ''; print ''; print '  '; /*print 'module.'&confirm=yes&updatedmodulename='.$obj->module.'">'.$langs->trans("All").""; print ' / '; print 'module.'&confirm=yes&updatedmodulename='.$obj->module.'">'.$langs->trans("None").""; */ print ''; print '  '; print ''; print ''; print '
'; print '
'; print ''; print ''; $parameters = array(); $reshook = $hookmanager->executeHooks('insertExtraFooter', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) { setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); } print dol_get_fiche_end(); // End of page llxFooter(); $db->close();