From b756649847109b073aebbb62c54e6638062f5649 Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Mon, 25 Apr 2022 16:59:06 +0200
Subject: [PATCH] =?UTF-8?q?Fix=20#20=20:=20le=20formulaire=20de=20gestion?=
 =?UTF-8?q?=20des=20inscriptions=20affiche=20sur=20la=20page=20d'un=20aute?=
 =?UTF-8?q?ur=20doit=20verifier=20que=20l'auteur=20connecte=20a=20bien=20l?=
 =?UTF-8?q?e=20droit=20de=20voir=20et=20modifier=20le=20subscriber=20en=20?=
 =?UTF-8?q?question,=20et=20adapter=20le=20comportement=20du=20formulaire?=
 =?UTF-8?q?=20en=20fonction.=20Les=202=20fonctions=20autoriser(voir)=20et?=
 =?UTF-8?q?=20autoriser(modifier)=20d'un=20subscriber=20laissent=20mainten?=
 =?UTF-8?q?ant=20passer=20la=20possibilit=C3=A9=20de=20voir/modifier=20un?=
 =?UTF-8?q?=20subscriber=20qui=20correspond=20=C3=A0=20l'auteur=20identifi?=
 =?UTF-8?q?=C3=A9,=20quel=20que=20soit=20son=20statut?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 formulaires/editer_email_subscription.html  |  6 ++-
 formulaires/editer_email_subscription.php   | 11 ++++++
 formulaires/inc-check-subscribinglists.html |  2 +-
 mailsubscribers_autorisations.php           | 44 ++++++++++++++++++++-
 4 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/formulaires/editer_email_subscription.html b/formulaires/editer_email_subscription.html
index c5179e3..57dd810 100644
--- a/formulaires/editer_email_subscription.html
+++ b/formulaires/editer_email_subscription.html
@@ -8,20 +8,22 @@
 	[<p class="reponse_formulaire reponse_formulaire_erreur">(#ENV*{message_erreur})</p>]
 
 	#SET{fl,mailsubscriber}
-	[(#ENV{editable})
+	[(#ENV{editable}|oui)
 	<form method='post' action='#ENV{action}'><div>
 		#ACTION_FORMULAIRE{#ENV{action}}
+	]
 		<div class="editer-groupe">
 			#SET{name,listes}#SET{obli,'obligatoire'}#SET{defaut,''}#SET{erreurs,#ENV**{erreurs}|table_valeur{#GET{name}}}
 			<div class="editer editer_[(#GET{name})][ (#GET{obli})][ (#GET{erreurs}|oui)erreur]">
 				<label>[(#GET{fl}|concat{':label_',#GET{name}}|_T)]</label>[
 				<span class='erreur_message'>(#GET{erreurs})</span>
 				]
-				<INCLURE{fond=formulaires/inc-check-subscribinglists,name=#GET{name},choix_listes=#ENV{_listes_dispo},env} />
+				<INCLURE{fond=formulaires/inc-check-subscribinglists,name=#GET{name},choix_listes=#ENV{_listes_dispo},env,disabled=#ENV{editable}|?{'',' '}} />
 			</div>
 		</div>
 		[(#REM) ajouter les saisies supplementaires : extra et autre, a cet endroit ]
 		<!--extra-->
+	[(#ENV{editable}|oui)
 		<p class="boutons"><input type='submit' class='submit' value='<:bouton_enregistrer:>' /></p>
 	</div></form>
 	]
diff --git a/formulaires/editer_email_subscription.php b/formulaires/editer_email_subscription.php
index 37614d8..8114156 100644
--- a/formulaires/editer_email_subscription.php
+++ b/formulaires/editer_email_subscription.php
@@ -10,6 +10,7 @@ if (!defined('_ECRIRE_INC_VERSION')) return;
 include_spip('inc/actions');
 include_spip('inc/mailsubscribers');
 include_spip('inc/editer');
+include_spip('inc/autoriser');
 
 /**
  * Declarer les champs postes et y integrer les valeurs par defaut
@@ -29,6 +30,7 @@ function formulaires_editer_email_subscription_charger_dist($email) {
 		'_listes_dispo' => $listes_dispos,
 		'_email' => $email,
 		'_id_mailsubscriber' => '',
+		'editable' => ' ',
 	);
 
 	$subscriber = charger_fonction('subscriber', 'newsletter');
@@ -43,6 +45,15 @@ function formulaires_editer_email_subscription_charger_dist($email) {
 		}
 	}
 
+	$id = (empty($valeurs['_id_mailsubscriber']) ? 0 : $valeurs['_id_mailsubscriber']);
+	if (!autoriser('voir', 'mailsubscriber', $id, null, ['email' => $email])) {
+		return false;
+	}
+
+	if (!autoriser('modifier', 'mailsubscriber', $id, null, ['email' => $email])) {
+		$valeurs['editable'] = '';
+	}
+
 	return $valeurs;
 }
 
diff --git a/formulaires/inc-check-subscribinglists.html b/formulaires/inc-check-subscribinglists.html
index cf140bc..0b785e2 100644
--- a/formulaires/inc-check-subscribinglists.html
+++ b/formulaires/inc-check-subscribinglists.html
@@ -5,7 +5,7 @@
 	  |ou{#ENV{status,''}|=={#VALEUR{status}}}
 	  |ou{#GET{val}|in_any{#ENV{#GET{name},#GET{defaut}}}})
 	<div class="choix">
-		<input type="checkbox" name="#GET{name}#EVAL{chr(91)}#EVAL{chr(93)}" class="checkbox" id="#GET{name}_#GET{val}" value="#GET{val}"[(#GET{val}|in_any{#ENV{#GET{name},#GET{defaut}}}|oui)checked="checked"] />
+		<input type="checkbox" name="#GET{name}#EVAL{chr(91)}#EVAL{chr(93)}" class="checkbox" id="#GET{name}_#GET{val}" value="#GET{val}"[(#GET{val}|in_any{#ENV{#GET{name},#GET{defaut}}}|oui)checked="checked"][(#ENV{disabled}|oui)disabled="disabled"] />
 		<label for="#GET{name}_#GET{val}">[(#VALEUR{titre}|typo)][ <i><small>((#VAL{}|concat{'mailsubscribinglist:texte_statut_',#VALEUR{status}|replace{open,ouverte}|replace{close,fermee}}|_T))</small></i>]</label>
 		[<p class="small">(#VALEUR{descriptif}|propre|PtoBR)</p>]
 	</div>
diff --git a/mailsubscribers_autorisations.php b/mailsubscribers_autorisations.php
index ec260b6..7425bac 100644
--- a/mailsubscribers_autorisations.php
+++ b/mailsubscribers_autorisations.php
@@ -45,12 +45,52 @@ function autoriser_mailsubscriber_iconifier_dist($faire, $type, $id, $qui, $opt)
 
 // voir les fiches completes
 function autoriser_mailsubscriber_voir_dist($faire, $type, $id, $qui, $opt) {
-	return $qui['statut'] == '0minirezo' AND !$qui['restreint'];
+	if ($qui['statut'] == '0minirezo' AND !$qui['restreint']) {
+		return true;
+	}
+
+	// un auteur connecte peut toujours voir sa propre fiche mailsubscriber
+	if (!empty($GLOBALS['visiteur_session']['email'])) {
+		$email = '';
+		if (!empty($opt['email'])) {
+			$email = $opt['email'];
+		}
+		elseif ($id) {
+			$email = sql_getfetsel('email', 'spip_mailsubscribers', 'id_mailsubscriber='.intval($id));
+		}
+		if (!empty($email)) {
+			if ($GLOBALS['visiteur_session']['email'] === $email
+				or mailsubscribers_obfusquer_email($GLOBALS['visiteur_session']['email']) === $email) {
+				return true;
+			}
+		}
+	}
+	return false;
 }
 
 // modifier
 function autoriser_mailsubscriber_modifier_dist($faire, $type, $id, $qui, $opt) {
-	return $qui['statut'] == '0minirezo' AND !$qui['restreint'];
+	if ($qui['statut'] == '0minirezo' AND !$qui['restreint']) {
+		return true;
+	}
+
+	// un auteur connecte peut toujours voir sa propre fiche mailsubscriber
+	if (!empty($GLOBALS['visiteur_session']['email'])) {
+		$email = '';
+		if (!empty($opt['email'])) {
+			$email = $opt['email'];
+		}
+		elseif ($id) {
+			$email = sql_getfetsel('email', 'spip_mailsubscribers', 'id_mailsubscriber='.intval($id));
+		}
+		if (!empty($email)) {
+			if ($GLOBALS['visiteur_session']['email'] === $email
+				or mailsubscribers_obfusquer_email($GLOBALS['visiteur_session']['email']) === $email) {
+				return true;
+			}
+		}
+	}
+	return false;
 }
 
 // supprimer