Skip to content
This repository has been archived by the owner on Jul 22, 2022. It is now read-only.

Commit

Permalink
[Securité] Empêche des utilisateurs de modifier ou supprimer des cong…
Browse files Browse the repository at this point in the history 
…és en modifiant le paramètre 'p_num' dans l'url Fix #384

(#386)
  • Loading branch information
@tneullas @wouldsmina
tneullas authored and wouldsmina committed Apr 6, 2017
1 parent 57446cd commit 4bc5ce3
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 34 deletions.
85 changes: 51 additions & 34 deletions App/ProtoControllers/Conge.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@ class Conge
public function getListe()
{
$return = '';
$errorsLst=[];
if($_SESSION['config']['where_to_find_user_email']=="ldap"){
include_once CONFIG_PATH .'config_ldap.php';
$errorsLst = [];
if ($_SESSION['config']['where_to_find_user_email'] == "ldap") {
include_once CONFIG_PATH . 'config_ldap.php';
}

if(!empty($_POST) && !$this->isSearch($_POST)) {
if (!empty($_POST) && !$this->isSearch($_POST)) {
if (0 < (int) \utilisateur\Fonctions::postDemandeCongesHeure($_POST, $errorsLst)) {
$return .= '<div class="alert alert-info">'._('suppr_succes').'</div>';
$return .= '<div class="alert alert-info">' . _('suppr_succes') . '</div>';
}
}
// on initialise le tableau global des jours fériés s'il ne l'est pas déjà :
Expand All @@ -35,20 +35,20 @@ public function getListe()

if (!empty($_POST) && $this->isSearch($_POST)) {
$champsRecherche = $_POST['search'];
$champsSql = $this->transformChampsRecherche($_POST);
$champsSql = $this->transformChampsRecherche($_POST);
} else {
$champsRecherche = [
'type' => 'cp',
];
$champsSql = [];
$champsSql = [];
}
$params = $champsSql + [
'p_login' => $_SESSION['userlogin'],
'type' => 'cp',
'p_etat' => 'demande',
'type' => 'cp',
'p_etat' => 'demande',
]; // champs par défaut écrasés par postés

$return.= $this->getFormulaireRecherche($champsRecherche);
$return .= $this->getFormulaireRecherche($champsRecherche);

$table = new \App\Libraries\Structure\Table();
$table->addClasses([
Expand All @@ -58,14 +58,14 @@ public function getListe()
'table-condensed',
'table-striped',
]);
$childTable = '<thead><tr><th>' . _('divers_debut_maj_1') . '</th><th>'. _('divers_fin_maj_1') .'</th><th>'. _('divers_type_maj_1') .'</th><th>'. _('divers_nb_jours_pris_maj_1') .'</th><th>Statut</th><th></th><th></th>';
$childTable = '<thead><tr><th>' . _('divers_debut_maj_1') . '</th><th>' . _('divers_fin_maj_1') . '</th><th>' . _('divers_type_maj_1') . '</th><th>' . _('divers_nb_jours_pris_maj_1') . '</th><th>Statut</th><th></th><th></th>';
$childTable .= '</tr>';
$childTable .= '</thead><tbody>';
$listId = $this->getListeId($params);
$session = session_id();
if (empty($listId)) {
$colonnes = 8;
$childTable .= '<tr><td colspan="' . $colonnes . '"><center>' . _('aucun_resultat') .'</center></td></tr>';
$childTable .= '<tr><td colspan="' . $colonnes . '"><center>' . _('aucun_resultat') . '</center></td></tr>';
} else {
$i = true;
$listeConges = $this->getListeSQL($listId);
Expand All @@ -80,7 +80,7 @@ public function getListe()
list($date, $heure) = explode(' ', $conges["p_date_demande"]);
$dateDemande = '(' . \App\Helpers\Formatter::dateIso2Fr($date) . ' ' . $heure . ') ';
}
if(null != $conges["p_date_traitement"]) {
if (null != $conges["p_date_traitement"]) {
list($date, $heure) = explode(' ', $conges["p_date_traitement"]);
$dateReponse = '(' . \App\Helpers\Formatter::dateIso2Fr($date) . ' ' . $heure . ') ';
}
Expand All @@ -98,33 +98,33 @@ public function getListe()
$messageReponse = '';
}

$demi_j_deb = ($conges["p_demi_jour_deb"]=="am") ? 'matin' : 'après-midi';
$demi_j_deb = ($conges["p_demi_jour_deb"] == "am") ? 'matin' : 'après-midi';

$demi_j_fin = ($conges["p_demi_jour_fin"] =="am") ? 'matin' : 'après-midi';
$user_modif_demande="&nbsp;";
$demi_j_fin = ($conges["p_demi_jour_fin"] == "am") ? 'matin' : 'après-midi';
$user_modif_demande = "&nbsp;";

// si on peut modifier une demande :on defini le lien à afficher
if( !$interdictionModification && $conges["p_etat"] != "valid") {
if (!$interdictionModification && $conges["p_etat"] != "valid") {
//on ne peut pas modifier une demande qui a déja été validé une fois (si on utilise la double validation)
$user_modif_demande = '<a href="user_index.php?session=' . $session . '&p_num=' . $conges['p_num'] . '&onglet=modif_demande">' . _('form_modif') . '</a>' ;
$user_modif_demande = '<a href="user_index.php?session=' . $session . '&p_num=' . $conges['p_num'] . '&onglet=modif_demande">' . _('form_modif') . '</a>';
}
$user_suppr_demande = '<a href="user_index.php?session=' . $session . '&p_num=' . $conges['p_num'] . '&onglet=suppr_demande">' . _('form_supprim') . '</a>';
$childTable .= '<tr class="'.($i?'i':'p').'">';
$childTable .= '<tr class="' . ($i ? 'i' : 'p') . '">';
$childTable .= '<td class="histo">' . \App\Helpers\Formatter::dateIso2Fr($conges["p_date_deb"]) . ' <span class="demi">' . schars($demi_j_deb) . '</span></td>';
$childTable .= '<td class="histo">' . \App\Helpers\Formatter::dateIso2Fr($conges["p_date_fin"]) . ' <span class="demi">' . schars($demi_j_fin) . '</span></td>' ;
$childTable .= '<td class="histo">'.schars($conges["ta_libelle"]).'</td>' ;
$childTable .= '<td class="histo">'.affiche_decimal($conges["p_nb_jours"]).'</td>' ;
$childTable .= '<td class="histo">' . \App\Helpers\Formatter::dateIso2Fr($conges["p_date_fin"]) . ' <span class="demi">' . schars($demi_j_fin) . '</span></td>';
$childTable .= '<td class="histo">' . schars($conges["ta_libelle"]) . '</td>';
$childTable .= '<td class="histo">' . affiche_decimal($conges["p_nb_jours"]) . '</td>';
$childTable .= '<td>' . \App\Models\Conge::statusText($conges["p_etat"]) . '</td>';
$childTable .= '<td class="histo">';
if (!empty($messageDemande) || !empty($messageReponse)) {
$childTable .= '<i class="fa fa-comments" aria-hidden="true" title="' . $messageDemande . "\n\n" . $messageReponse . '"></i>';
}
$childTable .= '</td>' ;
$childTable .= '</td>';
$childTable .= '<td class="histo">';
if(!$interdictionModification) {
if (!$interdictionModification) {
$childTable .= $user_modif_demande . '&nbsp;&nbsp;';
}
$childTable .= ($user_suppr_demande) . '</td>'."\n" ;
$childTable .= ($user_suppr_demande) . '</td>' . "\n";
$childTable .= '</tr>';
$i = !$i;
}
Expand All @@ -138,6 +138,23 @@ public function getListe()
return $return;
}

/**
* Retourne un congés en fonction de son p_num (id)
*
* @param int $p_num
*
* @return array
*/
public static function getConge($p_num)
{
if (empty($p_num)) {
return [];
}
$sql = \includes\SQL::singleton();
$req = "SELECT * FROM conges_periode WHERE p_num = $p_num";
return $sql->query($req)->fetch_array(MYSQLI_ASSOC);
}

/**
* Y-a-t-il une recherche dans l'avion ?
*
Expand Down Expand Up @@ -185,7 +202,7 @@ protected function getFormulaireRecherche(array $champs)
: '';
$form .= '<option value="' . $key . '" ' . $selected . '>' . $value . '</option>';
}
$form .= '</select></div></div><div class="form-group"><div class="input-group"><button type="submit" class="btn btn-default"><i class="fa fa-search" aria-hidden="true"></i></button>&nbsp;<a href="' . ROOT_PATH . 'utilisateur/user_index.php?session='. $session . '&onglet=liste_conge" type="reset" class="btn btn-default">Reset</a></div></div></form>';
$form .= '</select></div></div><div class="form-group"><div class="input-group"><button type="submit" class="btn btn-default"><i class="fa fa-search" aria-hidden="true"></i></button>&nbsp;<a href="' . ROOT_PATH . 'utilisateur/user_index.php?session=' . $session . '&onglet=liste_conge" type="reset" class="btn btn-default">Reset</a></div></div></form>';

return $form;
}
Expand All @@ -204,7 +221,7 @@ protected function transformChampsRecherche(array $post)
foreach ($search as $key => $value) {
if ('annee' === $key) {
$champs['dateDebut'] = ((int) $value) . '-01-01';
$champs['dateFin'] = ((int) $value) . '-12-31';
$champs['dateFin'] = ((int) $value) . '-12-31';
} else {
$champs[$key] = $value;
}
Expand All @@ -217,13 +234,13 @@ protected function transformChampsRecherche(array $post)
* SQL
*/

/**
* Retourne une liste d'id de congés
*
* @param array $params Paramètres de recherche
*
* @return array
*/
/**
* Retourne une liste d'id de congés
*
* @param array $params Paramètres de recherche
*
* @return array
*/
protected function getListeId(array $params)
{
if (!empty($params)) {
Expand Down
23 changes: 23 additions & 0 deletions utilisateur/Fonctions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,12 @@ public static function modificationAbsenceModule()
$new_comment = htmlentities(getpost_variable('new_comment'), ENT_QUOTES | ENT_HTML401);

$return = '';
$isAllowed = self::canUserManipulateConge($p_num, $_SESSION['userlogin']);

if (!$isAllowed || $_SESSION['config']['interdit_modif_demande']) {
$session = (isset($_GET['session']) ? $_GET['session'] : ((isset($_POST['session'])) ? $_POST['session'] : session_id()));
redirect(ROOT_PATH . 'utilisateur/user_index.php?session=' . $session);
}

//conversion des dates
$new_debut = convert_date($new_debut);
Expand Down Expand Up @@ -575,6 +581,12 @@ public static function suppressionAbsenceModule()
$p_num_to_delete = getpost_variable('p_num_to_delete');
$return = '';
/*************************************/

$isAllowed = self::canUserManipulateConge($p_num, $_SESSION['userlogin']);
if (!$isAllowed) {
$session = (isset($_GET['session']) ? $_GET['session'] : ((isset($_POST['session'])) ? $_POST['session'] : session_id()));
redirect(ROOT_PATH . 'utilisateur/user_index.php?session=' . $session);
}

// TITRE
$return .= '<h1>'. _('user_suppr_demande_titre') .'</h1>';
Expand Down Expand Up @@ -1506,4 +1518,15 @@ public static function getOptionsTypeConges()

return $options;
}

public static function canUserManipulateConge($idConge, $user) {
if (empty($idConge) && empty($user)) {
return false;
}
$conge = \App\ProtoControllers\Conge::getConge($idConge);
if (($conge["p_etat"] == \App\Models\Conge::STATUT_DEMANDE) && ($conge['p_login'] == $user)){
return true;
}
return false;
}
}

0 comments on commit 4bc5ce3

Please sign in to comment.