noalyss-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 08/21: Task #1127 - Ajout évenement depuis t

From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 08/21: Task #1127 - Ajout évenement depuis tableau de bord ou agenda #1127 add security
Date: Wed, 19 Aug 2015 22:59:29 +0000 
sparkyx pushed a commit to branch master
in repository noalyss.

commit 36b21ccde4ebe244a14d5e7d4bf7c3264a4ef486
Author: Dany De Bontridder <address@hidden>
Date:   Sat Aug 15 08:41:47 2015 +0200

    Task #1127 - Ajout évenement depuis tableau de bord ou agenda
    #1127 add security
---
 include/action.common.inc.php |    8 ++++----
 include/ajax_gestion.php      |   10 +++++++++-
 include/class_follow_up.php   |   12 +++++++++++-
 include/class_user.php        |   21 ++++++++++++++++++++-
 4 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 9e29f9a..df9943e 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -203,8 +203,8 @@ if ($sub_action == 'detail')
                echo $act->Display('UPD', false, $base, $retour);
                echo '<input type="hidden" name="sa" value="update">';
                echo HtmlInput::submit("save", "Sauve");
-               echo HtmlInput::submit("add_action_here", _("Ajoute une action 
à celle-ci"));
-               echo HtmlInput::submit("delete", _("Efface cette action"), ' 
onclick="return confirm(\'' . _("Vous confirmez l\'effacement") . '\')" ');
+               echo HtmlInput::submit("add_action_here", _("Ajoute un 
événement à celui-ci"));
+               echo HtmlInput::submit("delete", _("Efface cet événement "), ' 
onclick="return confirm(\'' . _("Vous confirmez l\'effacement") . '\')" ');
                echo $retour;
                echo '</form>';
        }
@@ -269,11 +269,11 @@ if ($sub_action == "save_action_st2")
        // insert into action_gestion
        echo $act->save();
        $url = "?$base&sa=detail&ag_id=" . $act->ag_id . '&' . dossier::get();
-       echo '<p><a class="mtitle" href="' . $url . '">' . hb(_('Action 
Sauvée').'  : ' . $act->ag_ref) . '</a></p>';
+       echo '<p><a class="mtitle" href="' . $url . '">' . hb(_('Evènement 
Sauvée').'  : ' . $act->ag_ref) . '</a></p>';
 
        Follow_Up::show_action_list($cn,$base);
        $url = "?$base&sa=detail&ag_id=" . $act->ag_id . '&' . dossier::get();
-       echo '<p><a class="mtitle" href="' . $url . '">' . hb(_('Action 
Sauvée').'  : ' . $act->ag_ref) . '</a></p>';
+       echo '<p><a class="mtitle" href="' . $url . '">' . hb(_('Evènement 
Sauvée').'  : ' . $act->ag_ref) . '</a></p>';
     } catch (Exception $e)
     {
         echo '<span class="notice">';
diff --git a/include/ajax_gestion.php b/include/ajax_gestion.php
index 67aee1f..830acd9 100644
--- a/include/ajax_gestion.php
+++ b/include/ajax_gestion.php
@@ -106,7 +106,15 @@ if ($op=='action_save')
     $gestion->dt_id=$type_event;
     $gestion->ag_comment=h($summary);
     $gestion->ag_timestamp=$date_event;
-    $gestion->save_short();
+    $content=_('Sauvé');
+    $status='OK';
+    try {
+        $gestion->save_short();
+    } catch (Exception $ex)
+    {
+        $content=$ex->getMessage();
+        $status='NOK';
+    }
     header('Content-type: text/xml; charset=UTF-8');
     $dom=new DOMDocument('1.0', 'UTF-8');
     $xml_content=$dom->createElement('content', _("Sauvé"));
diff --git a/include/class_follow_up.php b/include/class_follow_up.php
index bb66082..474ea1f 100644
--- a/include/class_follow_up.php
+++ b/include/class_follow_up.php
@@ -1765,10 +1765,20 @@ class Follow_Up
         include 'template/action_display_short.php'; 
     }
     /**
-     * 
+     * Add an event , with the minimum of informations, 
+     * used in Dashboard and Scheduler
      */
     function save_short()
     {
+        global $g_user;
+        // check if we can add
+        if ($g_user->can_add_action($this->ag_dest) == FALSE ) 
+        {
+                throw new Exception(_('SECURITE : Ajout impossible'));
+        }
+        
+            
+        
         // Get The sequence id,
         $seq_name="seq_doc_type_".$this->dt_id;
         $str_file="";
diff --git a/include/class_user.php b/include/class_user.php
index 30a3f5c..8852440 100644
--- a/include/class_user.php
+++ b/include/class_user.php
@@ -1114,6 +1114,25 @@ class User
                return $profile;
        }
         /**
+         * Check if the current user can add an action in the profile given
+         * in parameter
+         * @param type $p_profile profile.p_id = action_gestion.ag_dest
+         * @return boolean
+         */
+        function can_add_action($p_profile)
+        {
+            $r=$this->db->get_value (' select count(*) 
+                from user_sec_action_profile
+                where p_granted=$1
+                and p_id=$2',
+                    array($this->get_profile(),$p_profile));
+            if ($r == 0 ) 
+            {
+                return false;
+            } 
+            return true;
+        }
+        /**
          *Check if the profile of the user can write for this profile
          * @param  $dtoc action_gestion.ag_id
          * @return true if he can write otherwise false
@@ -1122,7 +1141,7 @@ class User
        {
             if ( $this->Admin() == 1 ) return true;
                $profile = $this->get_profile();
-               $r = $this->db->get_value(" select count(*) from action_gestion 
where ag_id=$1 and ag_dest in
+                    $r = $this->db->get_value(" select count(*) from 
action_gestion where ag_id=$1 and ag_dest in
                                (select p_granted from user_sec_action_profile 
where ua_right='W' and p_id=$2) ", array($dtoc, $profile));
                if ($r == 0)
                        return false;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]