From 1b350fafd1f923b2c22acbddc9aa290ad93adaca Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 3 May 2012 18:40:52 +0200 Subject: [PATCH] Fix: missing entity field in contract Fix: multicompany compatibility --- htdocs/compta/facture/fiche-rec.php | 15 +++++++-------- htdocs/contrat/class/contrat.class.php | 11 ++++++++--- htdocs/contrat/index.php | 20 ++++++++++---------- htdocs/core/lib/security.lib.php | 7 +++++++ htdocs/projet/class/project.class.php | 12 +++++++----- htdocs/projet/fiche.php | 2 +- 6 files changed, 40 insertions(+), 27 deletions(-) diff --git a/htdocs/compta/facture/fiche-rec.php b/htdocs/compta/facture/fiche-rec.php index 2960624597a..56ffc93ccaf 100644 --- a/htdocs/compta/facture/fiche-rec.php +++ b/htdocs/compta/facture/fiche-rec.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2010 Laurent Destailleur - * Copyright (C) 2005-2010 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -58,7 +58,7 @@ $sortfield="f.datef"; // Create predefined invoice -if ($_POST["action"] == 'add') +if ($action == 'add') { $facturerec = new FactureRec($db); $facturerec->titre = $_POST["titre"]; @@ -71,17 +71,16 @@ if ($_POST["action"] == 'add') } else { - $_GET["action"] = "create"; - $_GET["facid"] = $_POST["facid"]; + $action = "create"; $mesg = '
'.$facturerec->error.'
'; } } // Suppression -if ($_REQUEST["action"] == 'delete' && $user->rights->facture->supprimer) +if ($action == 'delete' && $user->rights->facture->supprimer) { $facrec = new FactureRec($db); - $facrec->fetch(GETPOST('facid','int')); + $facrec->fetch($facid); $facrec->delete(); $facid = 0 ; } @@ -99,7 +98,7 @@ $form = new Form($db); /* * Create mode */ -if ($_GET["action"] == 'create') +if ($action == 'create') { print_fiche_titre($langs->trans("CreateRepeatableInvoice")); @@ -108,7 +107,7 @@ if ($_GET["action"] == 'create') $facture = new Facture($db); // Source invoice $product_static=new Product($db); - if ($facture->fetch($_GET["facid"]) > 0) + if ($facture->fetch($facid) > 0) { print '
'; print ''; diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index ff9496898bf..9e38c6eed0d 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -324,7 +324,11 @@ class Contrat extends CommonObject $sql.= " fk_commercial_signature, fk_commercial_suivi,"; $sql.= " note as note_private, note_public, extraparams"; $sql.= " FROM ".MAIN_DB_PREFIX."contrat"; - if ($ref) $sql.= " WHERE ref='".$ref."'"; + if ($ref) + { + $sql.= " WHERE ref='".$ref."'"; + $sql.= " AND entity IN (".getEntity('contract').")"; + } else $sql.= " WHERE rowid=".$id; dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG); @@ -624,13 +628,14 @@ class Contrat extends CommonObject // Insert contract $sql = "INSERT INTO ".MAIN_DB_PREFIX."contrat (datec, fk_soc, fk_user_author, date_contrat,"; $sql.= " fk_commercial_signature, fk_commercial_suivi, fk_projet,"; - $sql.= " ref)"; + $sql.= " ref, entity)"; $sql.= " VALUES (".$this->db->idate($now).",".$this->socid.",".$user->id; $sql.= ",".$this->db->idate($this->date_contrat); $sql.= ",".($this->commercial_signature_id>0?$this->commercial_signature_id:"NULL"); $sql.= ",".($this->commercial_suivi_id>0?$this->commercial_suivi_id:"NULL"); $sql.= ",".($this->fk_projet>0?$this->fk_projet:"NULL"); - $sql .= ", " . (dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'"); + $sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'"); + $sql.= ", ".$conf->entity; $sql.= ")"; $resql=$this->db->query($sql); if ($resql) diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 71146ed1b03..8f7a3f5f63e 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2011 Laurent Destailleur - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -38,9 +38,9 @@ $statut=isset($_GET["statut"])?$_GET["statut"]:1; // Security check $socid=0; -$contratid = isset($_GET["id"])?$_GET["id"]:''; +$id = GETPOST('id','int'); if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'contrat',$contratid,''); +$result = restrictedArea($user, 'contrat',$id,''); $staticcompany=new Societe($db); $staticcontrat=new Contrat($db); @@ -104,7 +104,7 @@ $sql.= ", ".MAIN_DB_PREFIX."contratdet as cd, ".MAIN_DB_PREFIX."contrat as c"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid"; $sql.= " AND (cd.statut != 4 OR (cd.statut = 4 AND (cd.date_fin_validite is null or cd.date_fin_validite >= '".$db->idate($now)."')))"; -$sql.= " AND c.entity = ".$conf->entity; +$sql.= " AND c.entity IN (".getEntity('contract').")"; if ($user->societe_id) $sql.=' AND c.fk_soc = '.$user->societe_id; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; $sql.= " GROUP BY cd.statut"; @@ -141,7 +141,7 @@ $sql.= ", ".MAIN_DB_PREFIX."contratdet as cd, ".MAIN_DB_PREFIX."contrat as c"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid"; $sql.= " AND (cd.statut = 4 AND cd.date_fin_validite < '".$db->idate($now)."')"; -$sql.= " AND c.entity = ".$conf->entity; +$sql.= " AND c.entity IN (".getEntity('contract').")"; if ($user->societe_id) $sql.=' AND c.fk_soc = '.$user->societe_id; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; $sql.= " GROUP BY cd.statut"; @@ -230,7 +230,7 @@ if ($conf->contrat->enabled && $user->rights->contrat->lire) $sql .= " FROM ".MAIN_DB_PREFIX."contrat as c, ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.rowid = c.fk_soc"; - $sql.= " AND c.entity = ".$conf->entity; + $sql.= " AND c.entity IN (".getEntity('contract').")"; $sql.= " AND c.statut = 0"; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; if ($socid) $sql.= " AND s.fk_soc = ".$socid; @@ -301,7 +301,7 @@ if (!$user->rights->societe->client->voir && !$socid) $sql.= " ".MAIN_DB_PREFIX. $sql.= " ".MAIN_DB_PREFIX."contrat as c"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat"; $sql.= " WHERE c.fk_soc = s.rowid"; -$sql.= " AND c.entity = ".$conf->entity; +$sql.= " AND c.entity IN (".getEntity('contract').")"; $sql.= " AND c.statut > 0"; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; if ($socid) $sql.= " AND s.rowid = ".$socid; @@ -373,7 +373,7 @@ $sql.= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= ", ".MAIN_DB_PREFIX."contratdet as cd"; $sql.= ") LEFT JOIN ".MAIN_DB_PREFIX."product as p ON cd.fk_product = p.rowid"; -$sql.= " WHERE c.entity = ".$conf->entity; +$sql.= " WHERE c.entity IN (".getEntity('contract').")"; $sql.= " AND cd.fk_contrat = c.rowid"; $sql.= " AND c.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; @@ -451,7 +451,7 @@ $sql.= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= ", ".MAIN_DB_PREFIX."contratdet as cd"; $sql.= " ) LEFT JOIN ".MAIN_DB_PREFIX."product as p ON cd.fk_product = p.rowid"; -$sql.= " WHERE c.entity = ".$conf->entity; +$sql.= " WHERE c.entity IN (".getEntity('contract').")"; $sql.= " AND c.statut = 1"; $sql.= " AND cd.statut = 0"; $sql.= " AND cd.fk_contrat = c.rowid"; @@ -530,7 +530,7 @@ $sql.= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= ", ".MAIN_DB_PREFIX."contratdet as cd"; $sql.= " ) LEFT JOIN ".MAIN_DB_PREFIX."product as p ON cd.fk_product = p.rowid"; -$sql.= " WHERE c.entity = ".$conf->entity; +$sql.= " WHERE c.entity IN (".getEntity('contract').")"; $sql.= " AND c.statut = 1"; $sql.= " AND cd.statut = 4"; $sql.= " AND cd.date_fin_validite < '".$db->idate($now)."'"; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 561f2e2b88f..75107f05a86 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -377,6 +377,13 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature $tmparray=explode(',',$tmps); if (! in_array($objectid,$tmparray)) accessforbidden(); } + else + { + $sql = "SELECT dbt.".$dbt_select; + $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; + $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; + $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; + } } else if (! in_array($feature,$nocheck)) // By default we check with link to third party { diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 58c3ad97ca8..0589bc3a15e 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -240,8 +240,12 @@ class Project extends CommonObject $sql = "SELECT rowid, ref, title, description, public, datec"; $sql.= ", tms, dateo, datee, fk_soc, fk_user_creat, fk_statut, note_private, note_public"; $sql.= " FROM " . MAIN_DB_PREFIX . "projet"; - if ($ref) $sql.= " WHERE ref='" . $ref . "'"; - else $sql.= " WHERE rowid=" . $id; + if ($ref) + { + $sql.= " WHERE ref='".$ref."'"; + $sql.= " AND entity IN (".getEntity('project').")"; + } + else $sql.= " WHERE rowid=".$id; dol_syslog(get_class($this)."::fetch sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); @@ -813,8 +817,6 @@ class Project extends CommonObject */ function getProjectsAuthorizedForUser($user, $mode=0, $list=0, $socid=0) { - global $conf; - $projects = array(); $temp = array(); @@ -825,7 +827,7 @@ class Project extends CommonObject $sql.= ", " . MAIN_DB_PREFIX . "element_contact as ec"; $sql.= ", " . MAIN_DB_PREFIX . "c_type_contact as ctc"; } - $sql.= " WHERE p.entity = " . $conf->entity; + $sql.= " WHERE p.entity IN (".getEntity('project').")"; // Internal users must see project he is contact to even if project linked to a third party he can't see. //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if ($socid > 0) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = " . $socid . ")"; diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php index 8b0146a08f1..1c6b0626ad1 100644 --- a/htdocs/projet/fiche.php +++ b/htdocs/projet/fiche.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2012 Laurent Destailleur - * Copyright (C) 2005-2011 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by