lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: security problem with multicompany

Browse Source
This commit is contained in:
Regis Houssin 2013-04-26 12:35:31 +02:00
parent ed5a00a79d
commit 016b4a2baa
6 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/contact/class/contact.class.php
View File

@ -35,6 +35,7 @@ class Contact extends CommonObject
{
public $element='contact';
public $table_element='socpeople';
protected $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
var $id;
var $civilite_id; // In fact we stor civility_code
@ -745,7 +746,7 @@ class Contact extends CommonObject
$this->error=$this->db->error().' sql='.$sql;
}
}
// Removed extrafields
if ((! $error) && (empty($conf->global->MAIN_EXTRAFIELDS_DISABLED))) { // For avoid conflicts if trigger used
$result=$this->deleteExtraFields($this);

14
htdocs/contact/exportimport.php
View File

@ -29,26 +29,28 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php';
$langs->load("companies");
// Security check
$contactid = isset($_GET["id"])?$_GET["id"]:'';
$id = GETPOST('id', 'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
/*
* View
*/
llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
$form = new Form($db);
$contact = new Contact($db);
$contact->fetch($_GET["id"], $user);
$contact->fetch($id, $user);
$head = contact_prepare_head($contact);
dol_fiche_head($head, 'exportimport', $langs->trans("ContactsAddresses"), 0, 'contact');
dol_fiche_head($head, 'exportimport', $title, 0, 'contact');
/*
@ -97,7 +99,7 @@ print '</div>';
print '<br>';
print $langs->trans("ExportCardToFormat").': ';
print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$_GET["id"].'">';
print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$contact->id.'">';
print img_picto($langs->trans("VCard"),'vcard.png').' ';
print $langs->trans("VCard");
print '</a>';

2
htdocs/contact/fiche.php
View File

@ -62,7 +62,7 @@ if (! empty($canvas))
}
// Security check
$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', '', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission
$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission
// Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';

12
htdocs/contact/ldap.php
View File

@ -35,12 +35,12 @@ $langs->load("admin");
$action=GETPOST('action');
// Security check
$contactid = isset($_GET["id"])?$_GET["id"]:'';
$id = GETPOST('id', 'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
$contact = new Contact($db);
$contact->fetch($_GET["id"], $user);
$contact->fetch($id, $user);
/*
@ -79,13 +79,15 @@ if ($action == 'dolibarr2ldap')
* View
*/
llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
$form = new Form($db);
$head = contact_prepare_head($contact);
dol_fiche_head($head, 'ldap', $langs->trans("ContactsAddresses"), 0, 'contact');
dol_fiche_head($head, 'ldap', $title, 0, 'contact');
print '<table class="border" width="100%">';

6
htdocs/contact/perso.php
View File

@ -69,7 +69,9 @@ if ($action == 'update' && ! $_POST["cancel"] && $user->rights->societe->contact
$now=dol_now();
llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
$form = new Form($db);
@ -77,7 +79,7 @@ $object->fetch($id, $user);
$head = contact_prepare_head($object);
dol_fiche_head($head, 'perso', $langs->trans("ContactsAddresses"), 0, 'contact');
dol_fiche_head($head, 'perso', $title, 0, 'contact');
if ($action == 'edit')
{

7
htdocs/contact/vcard.php
View File

@ -29,8 +29,13 @@ require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/core/class/vcard.class.php';
$id = GETPOST('id', 'int');
// Security check
$result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
$contact = new Contact($db);
$result=$contact->fetch($_GET["id"]);
$result=$contact->fetch($id);
$physicalperson=1;