From 06f36fbfabb44992e8187efa8a2e84bc4d1f3443 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 24 Sep 2013 10:59:15 +0200
Subject: [PATCH 1/2] Fix: Bad permission check

---
 htdocs/core/boxes/box_members.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/core/boxes/box_members.php b/htdocs/core/boxes/box_members.php
index fdb6db8c7f5..f14e70cc38d 100644
--- a/htdocs/core/boxes/box_members.php
+++ b/htdocs/core/boxes/box_members.php
@@ -79,7 +79,7 @@ class box_members extends ModeleBoxes
 
 		$this->info_box_head = array('text' => $langs->trans("BoxTitleLastModifiedMembers",$max));
 
-		if ($user->rights->societe->lire)
+		if ($user->rights->adherent->lire)
 		{
 			$sql = "SELECT a.rowid, a.lastname, a.firstname, a.societe as company, a.fk_soc,";
 			$sql.= " a.datec, a.tms, a.statut as status, a.datefin as date_end_subscription,";

From a674af5bcd071b8f8e2c1b4d9a024478ebb31c37 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 24 Sep 2013 11:11:59 +0200
Subject: [PATCH 2/2] Fix: Permission check on event tabs

---
 htdocs/comm/action/contact.php  | 11 ++++++-----
 htdocs/comm/action/document.php |  6 +++---
 htdocs/comm/action/info.php     |  2 +-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/htdocs/comm/action/contact.php b/htdocs/comm/action/contact.php
index 87a13f28c55..619b6cf6b09 100644
--- a/htdocs/comm/action/contact.php
+++ b/htdocs/comm/action/contact.php
@@ -43,23 +43,24 @@ $confirm = GETPOST('confirm');
 $lineid  = GETPOST('lineid','int');
 
 // Security check
+$socid = GETPOST('socid','int');
+if ($user->societe_id) $socid=$user->societe_id;
 if ($user->societe_id > 0)
 {
 	unset($_GET["action"]);
 	$action='';
-	$socid = $user->societe_id;
 }
+$result = restrictedArea($user, 'agenda', $objectid, 'actioncomm&societe', 'myactions&allactions', 'fk_soc', 'id');
+
 
 $object = new ActionComm($db);
 
+
 /*
  * Actions
  */
 
-/*
- * Ajout d'un nouveau contact
- */
-
+// Add new nouveau contact
 if ($action == 'addcontact')
 {
 	$result = $object->fetch($id);
diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php
index 7ad74302655..ea5c7c4735b 100644
--- a/htdocs/comm/action/document.php
+++ b/htdocs/comm/action/document.php
@@ -44,14 +44,14 @@ $objectid = GETPOST('id','int');
 $action=GETPOST('action','alpha');
 
 // Security check
+$socid = GETPOST('socid','int');
+if ($user->societe_id) $socid=$user->societe_id;
 if ($user->societe_id > 0)
 {
 	unset($_GET["action"]);
 	$action='';
-	$socid = $user->societe_id;
 }
-
-$result = restrictedArea($user, 'agenda', $objectid, 'actioncomm&societe', 'myactions&allactions', '', 'id');
+$result = restrictedArea($user, 'agenda', $objectid, 'actioncomm&societe', 'myactions&allactions', 'fk_soc', 'id');
 
 $act = new ActionComm($db);
 
diff --git a/htdocs/comm/action/info.php b/htdocs/comm/action/info.php
index 66dc178d4b8..de41dc04483 100644
--- a/htdocs/comm/action/info.php
+++ b/htdocs/comm/action/info.php
@@ -40,7 +40,7 @@ if ($user->societe_id > 0)
   $socid = $user->societe_id;
 }
 
-$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', '', 'id');
+$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions&allactions', 'fk_soc', 'id');
 
 
 /*