FIX unprivileged user can see task associated with a not allowed project

Dolibarr · Sep 18, 2021 · 2acb84b · 2acb84b
1 parent 4faaa81
commit 2acb84b
Show file tree

Hide file tree

Showing 6 changed files with 442 additions and 430 deletions.
diff --git a/htdocs/projet/tasks/comment.php b/htdocs/projet/tasks/comment.php
@@ -47,13 +47,6 @@
 $project_ref = GETPOST('project_ref', 'alpha');
 $planned_workload = ((GETPOST('planned_workloadhour', 'int') != '' || GETPOST('planned_workloadmin', 'int') != '') ? (GETPOST('planned_workloadhour', 'int') > 0 ?GETPOST('planned_workloadhour', 'int') * 3600 : 0) + (GETPOST('planned_workloadmin', 'int') > 0 ?GETPOST('planned_workloadmin', 'int') * 60 : 0) : '');
 
-// Security check
-$socid = 0;
-//if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
-if (!$user->rights->projet->lire) {
-	accessforbidden();
-}
-
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('projecttaskcommentcard', 'globalcard'));
 
@@ -79,10 +72,21 @@
 	}
 }
 
+
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
+// Security check
+$socid = 0;
+
+restrictedArea($user, 'projet', $object->fk_project, 'projet&project');
+
+
+
 /*
  * View
-*/
-
+ */
 
 llxHeader('', $langs->trans("CommentPage"));
 

diff --git a/htdocs/projet/tasks/contact.php b/htdocs/projet/tasks/contact.php
@@ -40,16 +40,17 @@
 $withproject = GETPOST('withproject', 'int');
 $project_ref = GETPOST('project_ref', 'alpha');
 
+$object = new Task($db);
+$projectstatic = new Project($db);
+
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
 // Security check
 $socid = 0;
-//if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
-//$result = restrictedArea($user, 'projet', $id, 'projet_task');
-if (!$user->rights->projet->lire) {
-	accessforbidden();
-}
 
-$object = new Task($db);
-$projectstatic = new Project($db);
+restrictedArea($user, 'projet', $object->fk_project, 'projet&project');
 
 
 /*

diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php
@@ -37,21 +37,13 @@
 
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
-$mine = $_REQUEST['mode'] == 'mine' ? 1 : 0;
+$mine = GETPOST('mode') == 'mine' ? 1 : 0;
 //if (! $user->rights->projet->all->lire) $mine=1;	// Special for projects
 $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 $withproject = GETPOST('withproject', 'int');
 $project_ref = GETPOST('project_ref', 'alpha');
 
-// Security check
-$socid = 0;
-//if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
-//$result=restrictedArea($user,'projet',$id,'');
-if (!$user->rights->projet->lire) {
-	accessforbidden();
-}
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST("sortfield", 'alpha');
@@ -73,6 +65,17 @@
 $object = new Task($db);
 $projectstatic = new Project($db);
 
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
+// Security check
+$socid = 0;
+
+restrictedArea($user, 'projet', $object->fk_project, 'projet&project');
+
+
+
 /*
  * Actions
  */
@@ -92,25 +95,21 @@
 }
 
 if ($id > 0 || !empty($ref)) {
-	if ($object->fetch($id, $ref) > 0) {
-		if (!empty($conf->global->PROJECT_ALLOW_COMMENT_ON_TASK) && method_exists($object, 'fetchComments') && empty($object->comments)) {
-			$object->fetchComments();
-		}
-		$projectstatic->fetch($object->fk_project);
-		if (!empty($conf->global->PROJECT_ALLOW_COMMENT_ON_PROJECT) && method_exists($projectstatic, 'fetchComments') && empty($projectstatic->comments)) {
-			$projectstatic->fetchComments();
-		}
+	if (!empty($conf->global->PROJECT_ALLOW_COMMENT_ON_TASK) && method_exists($object, 'fetchComments') && empty($object->comments)) {
+		$object->fetchComments();
+	}
+	$projectstatic->fetch($object->fk_project);
+	if (!empty($conf->global->PROJECT_ALLOW_COMMENT_ON_PROJECT) && method_exists($projectstatic, 'fetchComments') && empty($projectstatic->comments)) {
+		$projectstatic->fetchComments();
+	}
 
-		if (!empty($projectstatic->socid)) {
-			$projectstatic->fetch_thirdparty();
-		}
+	if (!empty($projectstatic->socid)) {
+		$projectstatic->fetch_thirdparty();
+	}
 
-		$object->project = clone $projectstatic;
+	$object->project = clone $projectstatic;
 
-		$upload_dir = $conf->projet->dir_output.'/'.dol_sanitizeFileName($projectstatic->ref).'/'.dol_sanitizeFileName($object->ref);
-	} else {
-		dol_print_error($db);
-	}
+	$upload_dir = $conf->projet->dir_output.'/'.dol_sanitizeFileName($projectstatic->ref).'/'.dol_sanitizeFileName($object->ref);
 }
 
 include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';

diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php
@@ -31,7 +31,7 @@
 
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
-$mine = $_REQUEST['mode'] == 'mine' ? 1 : 0;
+$mine = GETPOST('mode') == 'mine' ? 1 : 0;
 //if (! $user->rights->projet->all->lire) $mine=1;	// Special for projects
 $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
@@ -82,6 +82,12 @@
 	}
 }
 
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
+restrictedArea($user, 'projet', $object->fk_project, 'projet&project');
+
 $permissionnote = ($user->rights->projet->creer || $user->rights->projet->all->creer);