[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 08/14: Sécurité : bloquer le changement de da
From: |
dwm |
Subject: |
[Noalyss-commit] [noalyss] 08/14: Sécurité : bloquer le changement de date des opérations, Renforce mode strict : change de date impossible |
Date: |
Sun, 4 Feb 2024 05:51:23 -0500 (EST) |
sparkyx pushed a commit to branch devel
in repository noalyss.
commit cbdec27e332c7fb9d19e2a0f59dcc099def9395d
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Sat Feb 3 11:08:16 2024 +0100
Sécurité : bloquer le changement de date des opérations,
Renforce mode strict : change de date impossible
---
include/ajax/ajax_ledger.php | 15 ++++++++++-----
include/constant.security.php | 1 +
include/template/ledger_detail_ach.php | 3 +++
include/template/ledger_detail_fin.php | 4 ++++
include/template/ledger_detail_misc.php | 3 +++
include/template/ledger_detail_ven.php | 5 ++++-
sql/upgrade.sql | 3 +++
7 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/include/ajax/ajax_ledger.php b/include/ajax/ajax_ledger.php
index 001ef0ac0..f866c664d 100644
--- a/include/ajax/ajax_ledger.php
+++ b/include/ajax/ajax_ledger.php
@@ -132,7 +132,7 @@ switch ($action) {
// remove op
///////////////////////////////////////////////////////////////////////////
case 'rmop':
- if ($access == 'W' && $g_user->check_action(RMOPER) == 1) {
+ if ($access == 'W' && $g_user->check_action(RMOPER) == 1 &&
$g_parameter->MY_STRICT=='N') {
ob_start();
/* get the ledger */
try {
@@ -345,7 +345,7 @@ switch ($action) {
$http = new HttpInput();
try {
$cn->start();
- if ($access == "W") {
+ if ($access == "W" ) {
if (isset($_POST['p_ech'])) {
$ech = $http->post('p_ech');
if (trim($ech) != '' && isDate($ech) != null) {
@@ -372,15 +372,20 @@ switch ($action) {
}
}
$oLedger=new Acc_Ledger($cn,$ledger);
- $npj=$http->post('npj');
+ $npj=$http->post('npj');
// protect receipt number
if ( ($g_parameter->MY_PJ_SUGGEST ==
'A'||$g_user->check_action(UPDRECEIPT)==0) && $oLedger->get_type() !='FIN') {
$npj=$cn->get_value("select jr_pj_number from jrn where
jr_id=$1",[$jr_id]);
}
+ // protect date in strict mode
+ $date=$http->post("p_date");
+ if ( $g_parameter->MY_STRICT=='Y' &&
$g_user->check_action(UPDDATE)==0) {
+ $date=$cn->get_value("select to_char(jr_date,'DD.MM.YYYY')
from jrn where jr_id=$1",[$jr_id]);
+ }
$cn->exec_sql("update jrn set
jr_comment=$1,jr_pj_number=$2,jr_date=to_date($4,'DD.MM.YYYY'),jr_optype=$5
where jr_id=$3",
- array($http->post('lib'), $npj, $jr_id,
$http->post('p_date'), $http->post('jr_optype')));
+ array($http->post('lib'), $npj, $jr_id,$date,
$http->post('jr_optype')));
$cn->exec_sql("update jrnx set j_date=to_date($1,'DD.MM.YYYY')
where j_grpt in (select jr_grpt_id from jrn where jr_id=$2)",
- array($http->post('p_date'), $jr_id));
+ array($date, $jr_id));
$cn->exec_sql('update operation_analytique set oa_date=j_date
from jrnx
where
operation_analytique.j_id=jrnx.j_id and
diff --git a/include/constant.security.php b/include/constant.security.php
index b8a307e01..a6de1d91c 100644
--- a/include/constant.security.php
+++ b/include/constant.security.php
@@ -28,6 +28,7 @@ define ('PARCATDOC',1050); // modifier type document pour
follow up
define ('RMRECEIPT',1110); // Effacer un document d'une pièce comptable
define ('RMOPER',1120); // Effacer une opération comptable
define ('UPDRECEIPT',1130); // change un numéro de pièce
+define ('UPDDATE',1140); // change date operation
define ('SHARENOTE',1210); // Can share a note
define ('SHARENOTEPUBLIC',1220); // Can create public note
define ('SHARENOTEREMOVE',1230); // Can drop drop of other
diff --git a/include/template/ledger_detail_ach.php
b/include/template/ledger_detail_ach.php
index f10c09a3c..aadb8e91d 100644
--- a/include/template/ledger_detail_ach.php
+++ b/include/template/ledger_detail_ach.php
@@ -21,6 +21,9 @@ global $div,$g_parameter,$cn,$access,$jr_id,$obj;
<?php
$date = new IDate('p_date');
$date->value = format_date($obj->det->jr_date);
+ if ( $g_parameter->MY_STRICT=='Y' &&
$g_user->check_action(UPDDATE)==0) {
+ $date->setReadOnly(true);
+ }
echo td(_('Date')) . td($date->input());
?>
<tr>
diff --git a/include/template/ledger_detail_fin.php
b/include/template/ledger_detail_fin.php
index 215d8cfc9..b6e944784 100644
--- a/include/template/ledger_detail_fin.php
+++ b/include/template/ledger_detail_fin.php
@@ -2,6 +2,7 @@
//This file is part of NOALYSS and is under GPL
//see licence.txt
$str_anc="";
+global $g_parameter,$g_user;
?><?php require_once NOALYSS_TEMPLATE.'/ledger_detail_top.php'; ?>
<div class="content" style="padding:0;">
<?php
@@ -19,6 +20,9 @@ $str_anc="";
<tr>
<?php
$date=new IDate('p_date');
+if ( $g_parameter->MY_STRICT=='Y' && $g_user->check_action(UPDDATE)==0) {
+ $date->setReadOnly(true);
+}
$date->value=format_date($obj->det->jr_date);
echo td(_('Date')).td($date->input());
diff --git a/include/template/ledger_detail_misc.php
b/include/template/ledger_detail_misc.php
index bbd7df138..57fe1f5e9 100644
--- a/include/template/ledger_detail_misc.php
+++ b/include/template/ledger_detail_misc.php
@@ -27,6 +27,9 @@ $owner = new Noalyss_Parameter_Folder($cn);
<td>
<?php
$date=new IDate('p_date');
+ if ( $g_parameter->MY_STRICT=='Y' &&
$g_user->check_action(UPDDATE)==0) {
+ $date->setReadOnly(true);
+ }
$date->value=format_date($obj->det->jr_date);
echo td(_('Date')).td($date->input());
diff --git a/include/template/ledger_detail_ven.php
b/include/template/ledger_detail_ven.php
index eeb76df98..852d7844e 100644
--- a/include/template/ledger_detail_ven.php
+++ b/include/template/ledger_detail_ven.php
@@ -1,7 +1,7 @@
<?php
//This file is part of NOALYSS and is under GPL
//see licence.txt
-global $div, $g_parameter, $cn, $access, $jr_id, $obj;
+global $div, $g_parameter, $cn, $access, $jr_id, $obj,$g_user;
?>
<?php require_once NOALYSS_TEMPLATE . '/ledger_detail_top.php'; ?>
@@ -31,6 +31,9 @@ $str_anc = "";
<td></td>
<?php
$date = new IDate('p_date');
+ if ( $g_parameter->MY_STRICT=='Y' &&
$g_user->check_action(UPDDATE)==0) {
+ $date->setReadOnly(true);
+ }
$date->value = format_date($obj->det->jr_date);
echo td(_('Date')) . td($date->input());
?>
diff --git a/sql/upgrade.sql b/sql/upgrade.sql
index 517ad5398..c89bc475c 100644
--- a/sql/upgrade.sql
+++ b/sql/upgrade.sql
@@ -1,3 +1,6 @@
insert into action (ac_id,ac_description,ac_module,ac_code) values
(1130,'Modifier le numéro de pièce','compta','UPDRECEIPT');
+insert into action (ac_id,ac_description,ac_module,ac_code) values
(1140,'Modifier la date d''une operation' ,'compta','UPDDATE');
+insert into user_sec_act(ua_login,ua_act_id) select distinct ua_login,1130
from user_sec_act;
+insert into user_sec_act(ua_login,ua_act_id) select distinct ua_login,1140
from user_sec_act;
- [Noalyss-commit] [noalyss] branch devel updated (3bf65a542 -> 42e0c5afa), dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 04/14: SUIVI : ajout prénom, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 12/14: bug follow-up, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 07/14: Filtre ne fonctionne pas tva_search_id est vide, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 01/14: Tableau de bord : position des détail, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 10/14: FOLLOWUP : Cosmetic nombre pièces, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 13/14: Follow-Up : bug ne peut pas ajouter fichier sur nouvel événement, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 14/14: FOLLOWUP : nom contact pas affiché, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 03/14: Task #2219 Suivi Cosmétique et PHP8.1 Compatibility, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 08/14: Sécurité : bloquer le changement de date des opérations, Renforce mode strict : change de date impossible,
dwm <=
- [Noalyss-commit] [noalyss] 11/14: integre changement SQL, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 05/14: Task #2128 : Comptabilité française : report, montre le solde de l'année et depuis le début pour les fiches, postes en HTML et PDF, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 02/14: SUIVI : détail , montre nom et prénom, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 09/14: Task #02326: Suivi : possibilité de charger plusieurs documents, dwm, 2024/02/04
- [Noalyss-commit] [noalyss] 06/14: Task #2321: Sécurité : empêcher changement de numéro de pièce, dwm, 2024/02/04