[Noalyss-commit] [noalyss] 11/38: Sécurité : bloquer le changement de date des opérations, Renforce mode strict : change de date impossible

[dwm]

sparkyx pushed a commit to branch devel
in repository noalyss.

commit fc23fb16715f9d0e6fc10168983fbb97ffa37c60
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Sat Feb 3 11:08:16 2024 +0100

    Sécurité : bloquer le changement de date des opérations,
    Renforce mode strict : change de date impossible
---
 include/ajax/ajax_ledger.php            | 15 ++++++++++-----
 include/constant.security.php           |  1 +
 include/template/ledger_detail_ach.php  |  3 +++
 include/template/ledger_detail_fin.php  |  4 ++++
 include/template/ledger_detail_misc.php |  3 +++
 include/template/ledger_detail_ven.php  |  5 ++++-
 sql/upgrade.sql                         |  3 +++
 7 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/include/ajax/ajax_ledger.php b/include/ajax/ajax_ledger.php
index 001ef0ac0..f866c664d 100644
--- a/include/ajax/ajax_ledger.php
+++ b/include/ajax/ajax_ledger.php
@@ -132,7 +132,7 @@ switch ($action) {
     //  remove op
     ///////////////////////////////////////////////////////////////////////////
     case 'rmop':
-        if ($access == 'W' && $g_user->check_action(RMOPER) == 1) {
+        if ($access == 'W' && $g_user->check_action(RMOPER) == 1 && 
$g_parameter->MY_STRICT=='N') {
             ob_start();
             /* get the ledger */
             try {
@@ -345,7 +345,7 @@ switch ($action) {
         $http = new HttpInput();
         try {
             $cn->start();
-            if ($access == "W") {
+            if ($access == "W" ) {
                 if (isset($_POST['p_ech'])) {
                     $ech = $http->post('p_ech');
                     if (trim($ech) != '' && isDate($ech) != null) {
@@ -372,15 +372,20 @@ switch ($action) {
                     }
                 }
                 $oLedger=new Acc_Ledger($cn,$ledger);
-                    $npj=$http->post('npj');
+                $npj=$http->post('npj');
                 // protect receipt number
                 if ( ($g_parameter->MY_PJ_SUGGEST == 
'A'||$g_user->check_action(UPDRECEIPT)==0)  && $oLedger->get_type() !='FIN') {
                     $npj=$cn->get_value("select jr_pj_number from jrn where 
jr_id=$1",[$jr_id]);
                 }
+                // protect date in strict mode
+                $date=$http->post("p_date");
+                if (  $g_parameter->MY_STRICT=='Y' && 
$g_user->check_action(UPDDATE)==0) {
+                    $date=$cn->get_value("select to_char(jr_date,'DD.MM.YYYY') 
from jrn where jr_id=$1",[$jr_id]);
+                }
                 $cn->exec_sql("update jrn set 
jr_comment=$1,jr_pj_number=$2,jr_date=to_date($4,'DD.MM.YYYY'),jr_optype=$5 
where jr_id=$3",
-                    array($http->post('lib'), $npj, $jr_id, 
$http->post('p_date'), $http->post('jr_optype')));
+                    array($http->post('lib'), $npj, $jr_id,$date, 
$http->post('jr_optype')));
                 $cn->exec_sql("update jrnx set j_date=to_date($1,'DD.MM.YYYY') 
where j_grpt in (select jr_grpt_id from jrn where jr_id=$2)",
-                    array($http->post('p_date'), $jr_id));
+                    array($date, $jr_id));
                 $cn->exec_sql('update operation_analytique set oa_date=j_date 
from jrnx
                                where
                                operation_analytique.j_id=jrnx.j_id  and
diff --git a/include/constant.security.php b/include/constant.security.php
index b8a307e01..a6de1d91c 100644
--- a/include/constant.security.php
+++ b/include/constant.security.php
@@ -28,6 +28,7 @@ define ('PARCATDOC',1050);   // modifier type document pour 
follow up
 define ('RMRECEIPT',1110);   // Effacer un document d'une pièce comptable
 define ('RMOPER',1120);   // Effacer une opération comptable
 define ('UPDRECEIPT',1130);   // change un numéro de pièce
+define ('UPDDATE',1140);   // change date operation
 define ('SHARENOTE',1210); // Can share a note
 define ('SHARENOTEPUBLIC',1220); // Can create public note
 define ('SHARENOTEREMOVE',1230); // Can drop drop of other
diff --git a/include/template/ledger_detail_ach.php 
b/include/template/ledger_detail_ach.php
index f10c09a3c..aadb8e91d 100644
--- a/include/template/ledger_detail_ach.php
+++ b/include/template/ledger_detail_ach.php
@@ -21,6 +21,9 @@ global $div,$g_parameter,$cn,$access,$jr_id,$obj;
                         <?php
                         $date = new IDate('p_date');
                         $date->value = format_date($obj->det->jr_date);
+                        if (  $g_parameter->MY_STRICT=='Y' && 
$g_user->check_action(UPDDATE)==0) {
+                            $date->setReadOnly(true);
+                        }
                         echo td(_('Date')) . td($date->input());
                         ?>
                         <tr>
diff --git a/include/template/ledger_detail_fin.php 
b/include/template/ledger_detail_fin.php
index 215d8cfc9..b6e944784 100644
--- a/include/template/ledger_detail_fin.php
+++ b/include/template/ledger_detail_fin.php
@@ -2,6 +2,7 @@
 //This file is part of NOALYSS and is under GPL 
 //see licence.txt
 $str_anc="";
+global $g_parameter,$g_user;
 ?><?php require_once NOALYSS_TEMPLATE.'/ledger_detail_top.php'; ?>
 <div class="content" style="padding:0;">
 <?php
@@ -19,6 +20,9 @@ $str_anc="";
 <tr>
 <?php
 $date=new IDate('p_date');
+if (  $g_parameter->MY_STRICT=='Y' && $g_user->check_action(UPDDATE)==0) {
+    $date->setReadOnly(true);
+}
 $date->value=format_date($obj->det->jr_date);
  echo td(_('Date')).td($date->input());
 
diff --git a/include/template/ledger_detail_misc.php 
b/include/template/ledger_detail_misc.php
index bbd7df138..57fe1f5e9 100644
--- a/include/template/ledger_detail_misc.php
+++ b/include/template/ledger_detail_misc.php
@@ -27,6 +27,9 @@ $owner = new Noalyss_Parameter_Folder($cn);
                     <td>
                         <?php
                         $date=new IDate('p_date');
+                        if (  $g_parameter->MY_STRICT=='Y' && 
$g_user->check_action(UPDDATE)==0) {
+                            $date->setReadOnly(true);
+                        }
                         $date->value=format_date($obj->det->jr_date);
                          echo td(_('Date')).td($date->input());
 
diff --git a/include/template/ledger_detail_ven.php 
b/include/template/ledger_detail_ven.php
index eeb76df98..852d7844e 100644
--- a/include/template/ledger_detail_ven.php
+++ b/include/template/ledger_detail_ven.php
@@ -1,7 +1,7 @@
 <?php
 //This file is part of NOALYSS and is under GPL 
 //see licence.txt
-global $div, $g_parameter, $cn, $access, $jr_id, $obj;
+global $div, $g_parameter, $cn, $access, $jr_id, $obj,$g_user;
 ?>
 
 <?php require_once NOALYSS_TEMPLATE . '/ledger_detail_top.php'; ?>
@@ -31,6 +31,9 @@ $str_anc = "";
                         <td></td>
                         <?php
                         $date = new IDate('p_date');
+                        if (  $g_parameter->MY_STRICT=='Y' && 
$g_user->check_action(UPDDATE)==0) {
+                            $date->setReadOnly(true);
+                        }
                         $date->value = format_date($obj->det->jr_date);
                         echo td(_('Date')) . td($date->input());
                         ?>
diff --git a/sql/upgrade.sql b/sql/upgrade.sql
index 517ad5398..c89bc475c 100644
--- a/sql/upgrade.sql
+++ b/sql/upgrade.sql
@@ -1,3 +1,6 @@
 
 insert into action (ac_id,ac_description,ac_module,ac_code) values 
(1130,'Modifier le numéro de pièce','compta','UPDRECEIPT');
+insert into action (ac_id,ac_description,ac_module,ac_code) values 
(1140,'Modifier la date d''une operation' ,'compta','UPDDATE');
 
+insert into user_sec_act(ua_login,ua_act_id) select distinct ua_login,1130 
from user_sec_act;
+insert into user_sec_act(ua_login,ua_act_id) select distinct ua_login,1140 
from user_sec_act;