From 24cc687724758e474d2e772a41532e252ec884e3 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 12 Feb 2018 09:28:41 +0100 Subject: [PATCH] Fix: you can't check "fournisseur" with checkUserAccessToObject without object ID --- htdocs/core/lib/security.lib.php | 2 +- htdocs/product/fournisseurs.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 14ff7bfdf53..c204809e9a1 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -378,7 +378,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'task') $feature='projet_task'; $check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company) - $checksoc = array('societe','fournisseur'); // Test for societe object + $checksoc = array('societe'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 2c49319fc19..9c91b5e11d7 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -51,6 +51,8 @@ $cost_price=GETPOST('cost_price', 'alpha'); $backtopage=GETPOST('backtopage','alpha'); $error=0; +if (!$user->rights->fournisseur->lire) accessforbidden(); + // If socid provided by ajax company selector if (! empty($_REQUEST['search_fourn_id'])) { @@ -63,7 +65,7 @@ if (! empty($_REQUEST['search_fourn_id'])) $fieldvalue = (! empty($id) ? $id : (! empty($ref) ? $ref : '')); $fieldtype = (! empty($ref) ? 'ref' : 'rowid'); if ($user->societe_id) $socid=$user->societe_id; -$result=restrictedArea($user,'produit|service&fournisseur',$fieldvalue,'product&product','','',$fieldtype); +$result=restrictedArea($user,'produit|service',$fieldvalue,'product&product','','',$fieldtype); $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit; $sortfield = GETPOST("sortfield",'alpha');