noalyss-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 26/119: FollowUp : new right : delete action

From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 26/119: FollowUp : new right : delete action
Date: Mon, 26 Oct 2020 18:27:08 -0400 (EDT) 
sparkyx pushed a commit to branch master
in repository noalyss.

commit 096e16cf2f317e04f4624c86484c4b37e78fc8e1
Author: Dany De Bontridder <danydb@noalyss.eu>
AuthorDate: Tue Sep 29 18:10:00 2020 +0200

    FollowUp : new right : delete action
---
 include/action.common.inc.php        | 43 +++++++++++++++++++++---------------
 include/action.inc.php               |  9 +++++---
 include/ajax/ajax_anc_search.php     |  2 +-
 include/class/profile_menu.class.php |  3 ++-
 include/class/user.class.php         | 16 ++++++++++++++
 sql/upgrade.sql                      | 11 +++++++--
 6 files changed, 59 insertions(+), 25 deletions(-)

diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 59d9041..976fcbe 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -30,18 +30,20 @@
  *
  */
 if ( ! defined ('ALLOWED') ) die('Appel direct ne sont pas permis');
+$http=new HttpInput();
 $supl_hidden = '';
 if (isset($_REQUEST['sc']))
-       $supl_hidden.=HtmlInput::hidden('sc', $_REQUEST['sc']);
+       $supl_hidden.=HtmlInput::hidden('sc', $http->request("sc"));
 if (isset($_REQUEST['f_id']))
-       $supl_hidden.=HtmlInput::hidden('f_id', $_REQUEST['f_id']);
+       $supl_hidden.=HtmlInput::hidden('f_id', 
$http->request("f_id","number"));
 if (isset($_REQUEST['sb']))
-       $supl_hidden.=HtmlInput::hidden('sb', $_REQUEST['sb']);
-$supl_hidden.=HtmlInput::hidden('ac', $_REQUEST['ac']);
+       $supl_hidden.=HtmlInput::hidden('sb', $http->request("sb"));
+$supl_hidden.=HtmlInput::hidden('ac', $http->request("ac"));
+
 
 $correction = 0;
 $error_id=0;
-$http=new HttpInput();
+
 
/*-----------------------------------------------------------------------------*/
 /* For other action
 
/*-----------------------------------------------------------------------------*/
@@ -210,18 +212,23 @@ if ($sub_action == 'detail')
         
        if ($g_user->can_write_action($ag_id)  == true)
        {
-               echo '<form  enctype="multipart/form-data"  
id="action_common_frm" class="print" action="do.php"  method="post"   >';
-               echo $supl_hidden;
-               echo HtmlInput::hidden('ac', $_REQUEST['ac']);
-               echo dossier::hidden();
-               echo $act->Display('UPD', false, $base, $retour);
-               echo '<input type="hidden" name="sa" value="update">';
-               echo '<input type="hidden" id="delete" name="delete" 
value="0">';
-               echo HtmlInput::submit("save", "Sauve",' 
onclick="$(\'delete\').value=0"');
-               echo HtmlInput::submit("add_action_here", _("Ajoute un 
événement à celui-ci"),' onclick="$(\'delete\').value=0"');
-               echo HtmlInput::submit("delete_bt", _("Efface cet événement "), 
' onclick="$(\'delete\').value=1;return confirm_box(\'action_common_frm\',\''. 
_("Vous confirmez l\'effacement") . '\')" ');
-               echo $retour;
-               echo '</form>';
+            echo '<form  enctype="multipart/form-data"  id="action_common_frm" 
class="print" action="do.php"  method="post"   >';
+            echo $supl_hidden;
+            echo HtmlInput::hidden('ac', $http->request('ac'));
+            echo dossier::hidden();
+            echo $act->Display('UPD', false, $base, $retour);
+            echo '<input type="hidden" name="sa" value="update">';
+            echo '<input type="hidden" id="delete" name="delete" value="0">';
+            echo HtmlInput::submit("save", "Sauve",' 
onclick="$(\'delete\').value=0"');
+            echo HtmlInput::submit("add_action_here", _("Ajoute un événement à 
celui-ci"),' onclick="$(\'delete\').value=0"');
+            // 
+            if ($g_user->can_delete_action($ag_id))
+            {
+                echo HtmlInput::submit("delete_bt", _("Efface cet événement 
"), 
+                        ' onclick="$(\'delete\').value=1;return 
confirm_box(\'action_common_frm\',\''. _("Vous confirmez l\'effacement") . 
'\')" ');
+            }
+            echo $retour;
+            echo '</form>';
        }
        else if ($g_user->can_read_action($ag_id) == true || $act->ag_dest == 
-1)
        {
@@ -245,7 +252,7 @@ if ($sub_action == 'delete')
        $act = new Follow_Up($cn);
        $act->ag_id =$http->request("ag_id","number") ;
        $act->get();
-       if ($g_user->can_write_action($act->ag_id)==true)       $act->remove();
+       if ($g_user->can_delete_action($act->ag_id)==true)      $act->remove();
        $sub_action = "list";
        $cn->commit();
        Follow_Up::show_action_list($cn, $base);
diff --git a/include/action.inc.php b/include/action.inc.php
index 5709845..9f61297 100644
--- a/include/action.inc.php
+++ b/include/action.inc.php
@@ -22,6 +22,8 @@
  */
 if ( ! defined ('ALLOWED') ) die('Appel direct ne sont pas permis');
 global $g_user;
+$http=new HttpInput();
+
 $retour=HtmlInput::button_anchor(_('Retour liste'),
        
HtmlInput::request_to_string(array("closed_action","remind_date_end","remind_date","sag_ref","only_internal","state","ac","gDossier","qcode","ag_dest_query","action_query","tdoc","date_start","date_end","hsstate","searchtag")),
         "","","smallbutton");
@@ -47,12 +49,13 @@ require_once NOALYSS_INCLUDE.'/class/follow_up.class.php';
 // propose to add one
 // permit also a search
 // show detail
-$sub_action=(isset($_REQUEST['sa']))?$_REQUEST['sa']:"";
+$sub_action=$http->request("sa","string","");
 /* if ag_id is set then we give it otherwise we have problem
  * with the generation of document
  */
-$ag_id=(isset($_REQUEST['ag_id']))?$_REQUEST['ag_id']:0;
-$ac=$_REQUEST['ac'];
+$ag_id=$http->request("ag_id","string","0");
+
+$ac=$http->request("ac");
 $base=HtmlInput::request_to_string(array('ac','gDossier'),"");
 
 require_once NOALYSS_INCLUDE.'/action.common.inc.php';
diff --git a/include/ajax/ajax_anc_search.php b/include/ajax/ajax_anc_search.php
index 00c114e..c8364d7 100644
--- a/include/ajax/ajax_anc_search.php
+++ b/include/ajax/ajax_anc_search.php
@@ -72,7 +72,7 @@ if ( isset($_REQUEST['go']))
     $sql="select po_name , po_description from poste_analytique ".
          "where pa_id=$1 and ".
          " (po_name ~* $2 or po_description ~* $3) order by po_name";
-    $array=$cn->get_array($sql,array($_c2,$plabel,$plabel));
+    $array=$cn->get_array($sql,array($c2,$plabel,$plabel));
 
     if (empty($array) == true)
     {
diff --git a/include/class/profile_menu.class.php 
b/include/class/profile_menu.class.php
index 145f5fd..96b06ca 100644
--- a/include/class/profile_menu.class.php
+++ b/include/class/profile_menu.class.php
@@ -244,7 +244,8 @@ class Profile_Menu extends Profile_Menu_sql
                                ", array($this->p_id));
             $aright_value=array(
                 array('value'=>'R', 'label'=>_('Lecture')),
-                array('value'=>'W', 'label'=>_('Ecriture')),
+                array('value'=>'W', 'label'=>_('Ecriture et suppression')),
+                array('value'=>'O', 'label'=>_('Ecriture')),
                 array('value'=>'X', 'label'=>_('Aucun accès'))
             );
             require_once NOALYSS_TEMPLATE.'/user_sec_profile.php';
diff --git a/include/class/user.class.php b/include/class/user.class.php
index d258120..f48f794 100644
--- a/include/class/user.class.php
+++ b/include/class/user.class.php
@@ -1192,6 +1192,22 @@ class User
             if ( $this->get_status_security_action()==0)                return 
TRUE;
             $profile = $this->get_profile();
                     $r = $this->db->get_value(" select count(*) from 
action_gestion where ag_id=$1 and ag_dest in
+                               (select p_granted from user_sec_action_profile 
where ua_right in ('W','O') and p_id=$2) ", array($dtoc, $profile));
+               if ($r == 0)
+                       return FALSE;
+               return true;
+       }
+         /**
+         *Check if the profile of the user can write AND delete for this 
profile
+         * @param  $dtoc action_gestion.ag_id
+         * @return true if he can write otherwise false
+         */
+       function can_delete_action($dtoc)
+       {
+            if ( $this->Admin() == 1 ) return TRUE;
+            if ( $this->get_status_security_action()==0)                return 
TRUE;
+            $profile = $this->get_profile();
+                    $r = $this->db->get_value(" select count(*) from 
action_gestion where ag_id=$1 and ag_dest in
                                (select p_granted from user_sec_action_profile 
where ua_right='W' and p_id=$2) ", array($dtoc, $profile));
                if ($r == 0)
                        return FALSE;
diff --git a/sql/upgrade.sql b/sql/upgrade.sql
index fb36c0d..8dac206 100644
--- a/sql/upgrade.sql
+++ b/sql/upgrade.sql
@@ -1,3 +1,4 @@
+
 CREATE OR REPLACE FUNCTION comptaproc.jrn_check_periode()
  RETURNS trigger
  LANGUAGE plpgsql
@@ -40,5 +41,11 @@ if comptaproc.is_closed (ljr_tech_per,ljr_def_id) = true then
 end if;
 
 return lreturn;
-end;$function$
-;
\ No newline at end of file
+end;
+$function$;
+LANGUAGE plpgsql;
+
+-- New right for action : delete
+ALTER TABLE public.user_sec_action_profile drop CONSTRAINT 
user_sec_action_profile_ua_right_check;
+ALTER TABLE public.user_sec_action_profile ADD CONSTRAINT 
user_sec_action_profile_ua_right_check check (ua_right in ('R','W','X','O'));
+
reply via email to
[Prev in Thread] Current Thread [Next in Thread]