From 1e343224356f593045bd6e694030c09b1f83cf8a Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 28 Nov 2009 12:06:11 +0000 Subject: [PATCH] Fix: bad security request --- htdocs/categories/categorie.php | 2 +- htdocs/commonobject.class.php | 20 ++++++++++++-------- htdocs/compta/facture.php | 7 ++++--- htdocs/lib/functions.lib.php | 11 +++++++---- htdocs/product.class.php | 3 ++- 5 files changed, 26 insertions(+), 17 deletions(-) diff --git a/htdocs/categories/categorie.php b/htdocs/categories/categorie.php index 653f05ad228..1cfc9388a1a 100644 --- a/htdocs/categories/categorie.php +++ b/htdocs/categories/categorie.php @@ -3,7 +3,7 @@ * Copyright (C) 2005 Brice Davoleau * Copyright (C) 2005-2009 Regis Houssin * Copyright (C) 2006-2009 Laurent Destailleur - * Copyright (C) 2007 Patrick Raguin + * Copyright (C) 2007 Patrick Raguin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by diff --git a/htdocs/commonobject.class.php b/htdocs/commonobject.class.php index ef7d7efe71f..e8f98a27a4b 100644 --- a/htdocs/commonobject.class.php +++ b/htdocs/commonobject.class.php @@ -411,7 +411,7 @@ class CommonObject */ function load_previous_next_ref($filter='',$fieldid) { - global $conf; + global $conf, $user; if (! $this->table_element) { @@ -422,15 +422,17 @@ class CommonObject // this->ismultientitymanaged contains // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe - $sql = "SELECT MAX(".$fieldid.")"; + $sql = "SELECT MAX(te.".$fieldid.")"; $sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te"; - if ($this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity + if ($this->ismultientitymanaged == 2 || (!$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity + if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc"; $sql.= " WHERE te.".$fieldid." < '".addslashes($this->ref)."'"; + if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND s.rowid = te.fk_soc AND sc.fk_user = " .$user->id; if (isset($filter)) $sql.=" AND ".$filter; if ($this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity - if ($this->ismultientitymanaged > 0) $sql.= ' AND entity IN (0,'.$conf->entity.')'; + if ($this->ismultientitymanaged > 0) $sql.= ' AND te.entity IN (0,'.$conf->entity.')'; - //print $sql."
"; + print $sql."
"; $result = $this->db->query($sql) ; if (! $result) { @@ -441,13 +443,15 @@ class CommonObject $this->ref_previous = $row[0]; - $sql = "SELECT MIN(".$fieldid.")"; + $sql = "SELECT MIN(te.".$fieldid.")"; $sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te"; - if ($this->ismultientitymanaged == 2) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity + if ($this->ismultientitymanaged == 2 || (!$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity + if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON s.rowid = sc.fk_soc"; $sql.= " WHERE te.".$fieldid." > '".addslashes($this->ref)."'"; + if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND s.rowid = te.fk_soc AND sc.fk_user = " .$user->id; if (isset($filter)) $sql.=" AND ".$filter; if ($this->ismultientitymanaged == 2) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity - if ($this->ismultientitymanaged > 0) $sql.= ' AND entity IN (0,'.$conf->entity.')'; + if ($this->ismultientitymanaged > 0) $sql.= ' AND te.entity IN (0,'.$conf->entity.')'; // Rem: Bug in some mysql version: SELECT MIN(rowid) FROM llx_socpeople WHERE rowid > 1 when one row in database with rowid=1, returns 1 instead of null //print $sql."
"; diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index 73d8ad140fa..2f5838769bd 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -53,11 +53,12 @@ $projetid=isset($_GET['projetid'])?$_GET['projetid']:0; // Security check $socid=isset($_GET['socid'])?$_GET['socid']:$_POST['socid']; -$facid = isset($_GET["facid"])?$_GET["facid"]:''; +$facid = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:''); +$fieldid = isset($_GET["ref"])?'facnumber':'rowid'; if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'facture', $facid,''); +$result = restrictedArea($user, 'facture', $facid,'','','fk_soc',$fieldid); -// Nombre de ligne pour choix de produit/service pr�d�finis +// Nombre de ligne pour choix de produit/service predefinis $NBLINES=4; $usehm=$conf->global->MAIN_USE_HOURMIN_IN_DATE_RANGE; diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index 27556769504..34dc723589c 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -1631,17 +1631,20 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='' } // If we have a particular object to check permissions on - if ($objectid > 0) + if (!empty($objectid)) { foreach ($features as $feature) { $sql=''; + + $check = array('user','usergroup','produit','service','produit|service'); + $nocheck = array('categorie','barcode','stock','fournisseur'); // If dbtable not defined, we use same name for table than module name if (empty($dbtablename)) $dbtablename = $feature; // Check permission for object with entity - if ($feature == 'user' || $feature == 'usergroup' || $feature == 'produit' || $feature == 'service' || $feature == 'produit|service') + if (in_array($feature,$check)) { $sql = "SELECT dbt.".$dbt_select; $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; @@ -1675,7 +1678,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='' $sql.= " AND s.entity = ".$conf->entity; } } - else + else if (!in_array($feature,$nocheck)) { // If external user: Check permission for external users if ($user->societe_id > 0) @@ -1692,7 +1695,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename='' $sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql.= ", ".MAIN_DB_PREFIX."societe as s"; $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql.= " WHERE dbt.rowid = ".$objectid; + $sql.= " WHERE dbt.".$dbt_select." = ".$objectid; $sql.= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql.= " AND dbt.fk_soc = s.rowid"; $sql.= " AND s.entity = ".$conf->entity; diff --git a/htdocs/product.class.php b/htdocs/product.class.php index 9de626ec3e2..c951e16dafb 100644 --- a/htdocs/product.class.php +++ b/htdocs/product.class.php @@ -37,10 +37,11 @@ class Product extends CommonObject { var $db; var $error; - //! Numero de l'erreur + //! Error number var $errno = 0; var $element='product'; var $table_element='product'; + var $isnolinkedbythird = 1; // No field fk_soc var $ismultientitymanaged = 1; // 0=No test on entity, 1=Test with field entity, 2=Test with link by societe //! Identifiant unique