FIX CWE-269
This commit is contained in:
Laurent Destailleur
parent
c1c2f44e38
commit
11fa523070
@ -173,10 +173,13 @@ function dol_verifyHash($chain, $hash, $type = '0')
|
||||
* This method check permission on module then call checkUserAccessToObject() for permission on object (according to entity and socid of user).
|
||||
*
|
||||
* @param User $user User to check
|
||||
* @param string $features Features to check (it must be module $object->element. Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
|
||||
* @param string $features Features to check (it must be module $object->element. Can be a 'or' check with 'levela|levelb'.
|
||||
* Examples: 'societe', 'contact', 'produit&service', 'produit|service', ...)
|
||||
* This is used to check permission $user->rights->features->...
|
||||
* @param int $objectid Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
|
||||
* @param string $tableandshare 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity for multicompany module. Param not used if objectid is null (optional).
|
||||
* @param string $feature2 Feature to check, second level of permission (optional). Can be a 'or' check with 'sublevela|sublevelb'.
|
||||
* This is used to check permission $user->rights->features->feature2...
|
||||
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
|
||||
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
|
||||
* @param int $isdraft 1=The object with id=$objectid is a draft
|
||||
|
||||
@ -39,10 +39,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
if (empty($user->rights->margins->liretous)) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
$object = new Product($db);
|
||||
|
||||
@ -63,6 +59,12 @@ if (!$sortfield) {
|
||||
$sortfield = "f.datef";
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
if (empty($user->rights->margins->liretous)) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -33,8 +33,6 @@ $socid = GETPOST('socid', 'int');
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'societe', '', '');
|
||||
|
||||
|
||||
$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
@ -61,6 +59,12 @@ if ($socid > 0) {
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('thirdpartymargins', 'globalcard'));
|
||||
|
||||
$result = restrictedArea($user, 'societe', $object->id, '');
|
||||
|
||||
if (empty($user->rights->margins->liretous)) {
|
||||
accessforbidden();
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -73,7 +73,21 @@ if (!$sortorder) {
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('agendathirdparty'));
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $id, 'product&product');
|
||||
$object = new Product($db);
|
||||
if ($id > 0 || !empty($ref)) {
|
||||
$object->fetch($id, $ref);
|
||||
}
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', 0, 'product&product', '', '');
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -152,7 +152,17 @@ if (!empty($canvas)) {
|
||||
// Security check
|
||||
$fieldvalue = (!empty($id) ? $id : (!empty($ref) ? $ref : ''));
|
||||
$fieldtype = (!empty($id) ? 'rowid' : 'ref');
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productcard', 'globalcard'));
|
||||
|
||||
@ -50,7 +50,6 @@ if (!empty($user->socid)) {
|
||||
}
|
||||
$fieldvalue = (!empty($id) ? $id : (!empty($ref) ? $ref : ''));
|
||||
$fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
$object = new Product($db);
|
||||
$objectid = 0;
|
||||
@ -60,6 +59,19 @@ if ($id > 0 || !empty($ref)) {
|
||||
$id = $object->id;
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -95,9 +95,19 @@ if ($id > 0 || !empty($ref)) {
|
||||
}
|
||||
$modulepart = 'produit';
|
||||
|
||||
|
||||
$permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -103,17 +103,16 @@ if ($id > 0 || $ref) {
|
||||
$object->fetch($id, $ref);
|
||||
}
|
||||
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
$sortorder = GETPOST("sortorder", 'alpha');
|
||||
|
||||
if (!$sortfield) {
|
||||
$sortfield = "s.nom";
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
if (!$sortorder) {
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -51,7 +51,16 @@ if ($id > 0 || !empty($ref)) {
|
||||
|
||||
$permissionnote = $user->rights->produit->creer; // Used by the include of actions_setnotes.inc.php
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -60,9 +60,7 @@ $offset = $limit * $page;
|
||||
$pageprev = $page - 1;
|
||||
$pagenext = $page + 1;
|
||||
|
||||
$staticproduct = new Product($db);
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', 0, 'product&product');
|
||||
restrictedArea($user, 'produit|service', 0, 'product&product', '', '');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -82,7 +82,16 @@ if ((!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productpricecard', 'globalcard'));
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -41,7 +41,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatscontract'));
|
||||
@ -67,6 +66,8 @@ if (!$sortfield) {
|
||||
$sortfield = "b.date_valid";
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -58,7 +58,6 @@ if (!empty($user->socid)) {
|
||||
// Security check
|
||||
$fieldvalue = (!empty($id) ? $id : $ref);
|
||||
$fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
$tmp = dol_getdate(dol_now());
|
||||
$currentyear = $tmp['year'];
|
||||
@ -66,6 +65,8 @@ if (empty($search_year)) {
|
||||
$search_year = $currentyear;
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -43,13 +43,10 @@ $socid = '';
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatsorder'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
@ -75,6 +72,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -42,7 +42,6 @@ $socid = '';
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatssupplyorder'));
|
||||
@ -74,6 +73,8 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -40,13 +40,10 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatscontract'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
@ -65,6 +62,8 @@ if (!$sortfield) {
|
||||
$sortfield = "c.date_contrat";
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -44,7 +44,6 @@ $socid = '';
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatsinvoice'));
|
||||
@ -77,6 +76,7 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -44,13 +44,10 @@ $socid = '';
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatssupplyinvoice'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
@ -76,6 +73,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -40,13 +40,10 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatscontract'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST("sortfield", 'alpha');
|
||||
@ -65,6 +62,8 @@ if (!$sortfield) {
|
||||
$sortfield = "c.date_valid";
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -48,8 +48,6 @@ $result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatspropal'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST('sortfield', 'aZ09comma');
|
||||
@ -76,6 +74,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -43,13 +43,10 @@ $socid = '';
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
|
||||
$hookmanager->initHooks(array('productstatspropal'));
|
||||
|
||||
$mesg = '';
|
||||
|
||||
// Load variable for pagination
|
||||
$limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
|
||||
$sortfield = GETPOST('sortfield', 'aZ09comma');
|
||||
@ -76,6 +73,9 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter',
|
||||
$search_year = '';
|
||||
}
|
||||
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
|
||||
/*
|
||||
* View
|
||||
*/
|
||||
|
||||
@ -81,8 +81,6 @@ if (!empty($batchnumber)) {
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit&stock', $id, 'product&product', '', '', $fieldid);
|
||||
|
||||
|
||||
$object = new Product($db);
|
||||
$extrafields = new ExtraFields($db);
|
||||
@ -114,6 +112,17 @@ $hookmanager->initHooks(array('stockproductcard', 'globalcard'));
|
||||
|
||||
$error = 0;
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $id, 'product&product', '', '', $fieldid);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Actions
|
||||
|
||||
@ -45,7 +45,22 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
if ($id > 0 || !empty($ref)) {
|
||||
$object = new Product($db);
|
||||
$object->fetch($id, $ref);
|
||||
}
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -51,7 +51,6 @@ $delete_product = GETPOST('delete_product', 'alpha');
|
||||
// Security check
|
||||
$fieldvalue = (!empty($id) ? $id : $ref);
|
||||
$fieldtype = (!empty($ref) ? 'ref' : 'rowid');
|
||||
$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
|
||||
$prodstatic = new Product($db);
|
||||
$prodattr = new ProductAttribute($db);
|
||||
@ -64,8 +63,6 @@ if ($id > 0 || $ref) {
|
||||
|
||||
$selectedvariant = $_SESSION['addvariant_'.$object->id];
|
||||
|
||||
$permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
|
||||
|
||||
// Security check
|
||||
if (empty($conf->variants->enabled)) {
|
||||
accessforbidden('Module not enabled');
|
||||
@ -73,8 +70,17 @@ if (empty($conf->variants->enabled)) {
|
||||
if ($user->socid > 0) { // Protection if external user
|
||||
accessforbidden();
|
||||
}
|
||||
//$result = restrictedArea($user, 'variant');
|
||||
if (!$permissiontoread) accessforbidden();
|
||||
|
||||
if ($object->id > 0) {
|
||||
if ($object->type == $object::TYPE_PRODUCT) {
|
||||
restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
|
||||
}
|
||||
if ($object->type == $object::TYPE_SERVICE) {
|
||||
restrictedArea($user, 'service', $object->id, 'product&product', '', '');
|
||||
}
|
||||
} else {
|
||||
restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user