From 16d39809b9d182171d970933f958c08be793a479 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 13 Mar 2006 13:29:27 +0000 Subject: [PATCH] =?UTF-8?q?Ajout=20de=20la=20permission=20"consulter=20tou?= =?UTF-8?q?s=20les=20clients"=20dans=20le=20module=20commercial,=20afin=20?= =?UTF-8?q?=20qu'un=20commercial=20puisse=20voir=20que=20les=20clients=20q?= =?UTF-8?q?ui=20lui=20sont=20affect=E9s.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/contrat/contact.php | 34 +++++++++++++++++++++++++++------- htdocs/contrat/info.php | 30 ++++++++++++++++++++++++++++++ htdocs/contrat/note.php | 21 ++++++++++++++++++++- 3 files changed, 77 insertions(+), 8 deletions(-) diff --git a/htdocs/contrat/contact.php b/htdocs/contrat/contact.php index 83d6c779a24..f0f8ce54302 100644 --- a/htdocs/contrat/contact.php +++ b/htdocs/contrat/contact.php @@ -42,6 +42,33 @@ $user->getrights('contrat'); if (!$user->rights->contrat->lire) accessforbidden(); +// Sécurité accés client et commerciaux +$contratid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $action = ''; + $socidp = $user->societe_id; +} + +// Protection restriction commercial +if ($contratid) +{ + $sql = "SELECT sc.fk_soc, c.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c"; + $sql .= " WHERE c.rowid = ".$contratid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socidp; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} + // les methodes locales /** @@ -105,13 +132,6 @@ function select_type_contact($contrat, $defValue, $htmlname = 'type', $source) } -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socidp = $user->societe_id; -} - /* * Ajout d'un nouveau contact */ diff --git a/htdocs/contrat/info.php b/htdocs/contrat/info.php index fd03eeda46b..538cb82a851 100644 --- a/htdocs/contrat/info.php +++ b/htdocs/contrat/info.php @@ -32,6 +32,36 @@ require_once(DOL_DOCUMENT_ROOT."/contrat/contrat.class.php"); $langs->load("contracts"); +$user->getrights('contrat'); +if (!$user->rights->contrat->lire) + accessforbidden(); + +// Sécurité accés client et commerciaux +$contratid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $socidp = $user->societe_id; +} + +// Protection restriction commercial +if ($contratid) +{ + $sql = "SELECT sc.fk_soc, c.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c"; + $sql .= " WHERE c.rowid = ".$contratid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socidp; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} + llxHeader(); diff --git a/htdocs/contrat/note.php b/htdocs/contrat/note.php index bdc06f05e7c..02ca1708f35 100644 --- a/htdocs/contrat/note.php +++ b/htdocs/contrat/note.php @@ -40,13 +40,32 @@ if (!$user->rights->contrat->lire) $langs->load("companies"); $langs->load("contracts"); -// Sécurité accés +// Sécurité accés client et commerciaux +$contratid = isset($_GET["id"])?$_GET["id"]:''; + if ($user->societe_id > 0) { unset($_GET["action"]); $socidp = $user->societe_id; } +// Protection restriction commercial +if ($contratid) +{ + $sql = "SELECT sc.fk_soc, c.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c"; + $sql .= " WHERE c.rowid = ".$contratid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socidp; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} $contrat = new Contrat($db); $contrat->fetch($_GET["id"]);