#120 [Attendant] fix: prevent external user to sign for other

Evarisk · Feb 22, 2023 · d8bc8ab · d8bc8ab
1 parent 23efe64
commit d8bc8ab
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/view/saturne_attendants.php b/view/saturne_attendants.php
@@ -366,9 +366,11 @@
                     print $contact->getNomUrl(1);
                 }
                 print '</td><td class="center">';
-                if ($object->status == $object::STATUS_VALIDATED && $element->status != $element::STATUS_ABSENT && $permissiontoadd) {
-                    $signatureUrl = dol_buildpath('/custom/dolimeet/public/signature/add_signature.php?track_id=' . $element->signature_url  . '&object_type=' . $object->element, 3);
-                    print '<a href=' . $signatureUrl . ' target="_blank"><i class="fas fa-external-link-alt"></i></a>';
+                if ($object->status == $object::STATUS_VALIDATED && $element->status != $element::STATUS_ABSENT) {
+                    if ((!$user->rights->$moduleNameLowerCase->$objectType->read && $user->rights->$moduleNameLowerCase->assignedtome->$objectType && ($element->element_id == $user->id || $element->element_id == $user->contact_id)) || $permissiontoadd) {
+                        $signatureUrl = dol_buildpath('/custom/dolimeet/public/signature/add_signature.php?track_id=' . $element->signature_url . '&object_type=' . $object->element, 3);
+                        print '<a href=' . $signatureUrl . ' target="_blank"><i class="fas fa-external-link-alt"></i></a>';
+                    }
                 }
                 print '</td><td>';
                 print dol_print_date($element->last_email_sent_date, 'dayhour');

diff --git a/view/session/session_list.php b/view/session/session_list.php
@@ -308,7 +308,7 @@
 }
 if (!$user->rights->dolimeet->$objectType->read && $user->rights->dolimeet->assignedtome->$objectType) {
     if (!empty($user->contact_id)) {
-        $sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'saturne_object_signature as search_assignedtome on (search_assignedtome.element_id = ' . $user->contact_id . ' AND search_assignedtome.element_type="socpeople" AND search_assignedtome.status > 0)';
+        $sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'saturne_object_signature as search_assignedtome on ((search_assignedtome.element_id = ' . $user->contact_id . ' AND search_assignedtome.element_type="socpeople") OR (search_assignedtome.element_id = ' . $user->id . ' AND search_assignedtome.element_type="user") AND search_assignedtome.status > 0)';
     } else {
         $sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'saturne_object_signature as search_assignedtome on (search_assignedtome.element_id = ' . $user->id . ' AND search_assignedtome.element_type="user" AND search_assignedtome.status > 0)';
     }
@@ -793,7 +793,7 @@
         }
 
         $filter = ['customsql' => 'fk_object=' . $object->id . ' AND status > 0 AND object_type="' . $object->type . '"'];
-        $signatories = $signatory->fetchAll('', '', 0, 0, $filter);
+        $signatories = $signatory->fetchAll('', 'role', 0, 0, $filter);
 
         foreach ($object->fields as $key => $val) {
             $cssforfield = (empty($val['csslist']) ? (empty($val['css']) ? '' : $val['css']) : $val['csslist']);