From d3ccfeeadc789aa4ee2accaade3d1439b1774bc1 Mon Sep 17 00:00:00 2001 From: amarchal Date: Fri, 25 Nov 2022 22:12:41 +0100 Subject: [PATCH 1/5] hide private contact in thirdparty list --- htdocs/core/lib/company.lib.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index cfd3e69a577..bc51a7884cc 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1123,6 +1123,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl $sql .= " FROM ".MAIN_DB_PREFIX."socpeople as t"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)"; $sql .= " WHERE t.fk_soc = ".((int) $object->id); + $sql .= " AND ((t.fk_user_creat = ".$user->id." AND t.priv = 1) OR t.priv = 0)"; if ($search_rowid) { $sql .= natural_search('t.rowid', $search_rowid); } From f7adbfef1663dfdfc8b923c69d260662685d2e5f Mon Sep 17 00:00:00 2001 From: amarchal Date: Fri, 25 Nov 2022 22:33:34 +0100 Subject: [PATCH 2/5] block visibility to private contact (thirdparty list / card) --- htdocs/contact/card.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 8e9c6f2a321..84a84321a52 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -86,6 +86,7 @@ $hookmanager->initHooks(array('contactcard', 'globalcard')); if ($id > 0) { $object->fetch($id); + $object->info($id); } if (!($object->id > 0) && $action == 'view') { @@ -101,6 +102,9 @@ $permissiontoadd = $user->rights->societe->contact->creer; if ($user->socid) { $socid = $user->socid; } +if($object->priv && $object->user_creation->id != $user->id){ + accessforbidden(); +} $result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission From 1c6828e816c588d15e6e77d12f0f4b0780344c51 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 25 Nov 2022 21:36:11 +0000 Subject: [PATCH 3/5] Fixing style errors. --- htdocs/contact/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 84a84321a52..c5184a18454 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -102,7 +102,7 @@ $permissiontoadd = $user->rights->societe->contact->creer; if ($user->socid) { $socid = $user->socid; } -if($object->priv && $object->user_creation->id != $user->id){ +if ($object->priv && $object->user_creation->id != $user->id) { accessforbidden(); } $result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission From 5b53d1c5cf606af5be5e245289061ae5847dffcd Mon Sep 17 00:00:00 2001 From: antonin_tdj <50403308+ibuiv@users.noreply.github.com> Date: Sat, 26 Nov 2022 09:30:40 +0100 Subject: [PATCH 4/5] add cast to avoid sql injection (eldy asked) add cast to avoid sql injection (eldy asked) --- htdocs/core/lib/company.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index bc51a7884cc..51106b8568d 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1123,7 +1123,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl $sql .= " FROM ".MAIN_DB_PREFIX."socpeople as t"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)"; $sql .= " WHERE t.fk_soc = ".((int) $object->id); - $sql .= " AND ((t.fk_user_creat = ".$user->id." AND t.priv = 1) OR t.priv = 0)"; + $sql .= " AND ((t.fk_user_creat = ".(int) $user->id." AND t.priv = 1) OR t.priv = 0)"; if ($search_rowid) { $sql .= natural_search('t.rowid', $search_rowid); } From cd94e42291472555a662bdd006dcb44f0f573d4a Mon Sep 17 00:00:00 2001 From: antonin_tdj <50403308+ibuiv@users.noreply.github.com> Date: Sat, 26 Nov 2022 09:32:10 +0100 Subject: [PATCH 5/5] add parenthesis --- htdocs/core/lib/company.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 51106b8568d..8629e3e59d1 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1123,7 +1123,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '', $showuserl $sql .= " FROM ".MAIN_DB_PREFIX."socpeople as t"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)"; $sql .= " WHERE t.fk_soc = ".((int) $object->id); - $sql .= " AND ((t.fk_user_creat = ".(int) $user->id." AND t.priv = 1) OR t.priv = 0)"; + $sql .= " AND ((t.fk_user_creat = ".((int) $user->id)." AND t.priv = 1) OR t.priv = 0)"; if ($search_rowid) { $sql .= natural_search('t.rowid', $search_rowid); }