From a5814ce77907f7a2c7b874b493324596a64796b0 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 9 Feb 2018 11:00:43 +0100 Subject: [PATCH 1/4] Fix: nocheck for "fournisseur", already check with "societe" --- htdocs/core/lib/security.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index e84eef83924..f8753193888 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -382,7 +382,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); - $nocheck = array('barcode','stock'); // No test + $nocheck = array('barcode','stock','fournisseur'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name From 448fcae02fc36f196883460814f0df8416d2b0c8 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 12 Feb 2018 09:03:53 +0100 Subject: [PATCH 2/4] Fix: move "fournisseur" in $checksoc --- htdocs/core/lib/security.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 50ce574e271..14ff7bfdf53 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -378,11 +378,11 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'task') $feature='projet_task'; $check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company) - $checksoc = array('societe'); // Test for societe object + $checksoc = array('societe','fournisseur'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); - $nocheck = array('barcode','stock','fournisseur'); // No test + $nocheck = array('barcode','stock'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name From 24cc687724758e474d2e772a41532e252ec884e3 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Mon, 12 Feb 2018 09:28:41 +0100 Subject: [PATCH 3/4] Fix: you can't check "fournisseur" with checkUserAccessToObject without object ID --- htdocs/core/lib/security.lib.php | 2 +- htdocs/product/fournisseurs.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 14ff7bfdf53..c204809e9a1 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -378,7 +378,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'task') $feature='projet_task'; $check = array('adherent','banque','user','usergroup','produit','service','produit|service','categorie'); // Test on entity only (Objects with no link to company) - $checksoc = array('societe','fournisseur'); // Test for societe object + $checksoc = array('societe'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 2c49319fc19..9c91b5e11d7 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -51,6 +51,8 @@ $cost_price=GETPOST('cost_price', 'alpha'); $backtopage=GETPOST('backtopage','alpha'); $error=0; +if (!$user->rights->fournisseur->lire) accessforbidden(); + // If socid provided by ajax company selector if (! empty($_REQUEST['search_fourn_id'])) { @@ -63,7 +65,7 @@ if (! empty($_REQUEST['search_fourn_id'])) $fieldvalue = (! empty($id) ? $id : (! empty($ref) ? $ref : '')); $fieldtype = (! empty($ref) ? 'ref' : 'rowid'); if ($user->societe_id) $socid=$user->societe_id; -$result=restrictedArea($user,'produit|service&fournisseur',$fieldvalue,'product&product','','',$fieldtype); +$result=restrictedArea($user,'produit|service',$fieldvalue,'product&product','','',$fieldtype); $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit; $sortfield = GETPOST("sortfield",'alpha'); From 23ee6748f7244b199cdaeaff5ffe32602d6f1f05 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 14 Feb 2018 20:36:13 +0100 Subject: [PATCH 4/4] Update fournisseurs.php --- htdocs/product/fournisseurs.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 9c91b5e11d7..68f0d673ca4 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -51,8 +51,6 @@ $cost_price=GETPOST('cost_price', 'alpha'); $backtopage=GETPOST('backtopage','alpha'); $error=0; -if (!$user->rights->fournisseur->lire) accessforbidden(); - // If socid provided by ajax company selector if (! empty($_REQUEST['search_fourn_id'])) { @@ -67,6 +65,8 @@ $fieldtype = (! empty($ref) ? 'ref' : 'rowid'); if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'produit|service',$fieldvalue,'product&product','','',$fieldtype); +if (empty($user->rights->fournisseur->lire)) accessforbidden(); + $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit; $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha');