am�lioration de la s�curit�

2006-03-10 16:55:25 +00:00 · 2006-03-10 16:55:25 +00:00 · 27f8e2f4f0
commit 27f8e2f4f0
parent dec9f95d7d
6 changed files with 71 additions and 4 deletions
--- a/htdocs/projet/activity/myactivity.php
+++ b/htdocs/projet/activity/myactivity.php
@ -29,6 +29,8 @@
 require("./pre.inc.php");
 $user->getrights('projet');
 if (!$user->rights->projet->lire) accessforbidden();
 /*
@ -36,7 +38,6 @@ if (!$user->rights->projet->lire) accessforbidden();
 */
 if ($user->societe_id > 0) 
 {
  $action = '';
  $socidp = $user->societe_id;
 }
@ -69,6 +70,10 @@ $sql .= " , ".MAIN_DB_PREFIX."projet_task as t";
 if (!$user->rights->commercial->client->voir && !$socidp) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
 $sql .= " WHERE t.fk_projet = p.rowid";
 if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = " .$user->id;
 if ($socidp)
 { 
  $sql .= " AND p.fk_soc = ".$socidp; 
 }
 $sql .= " GROUP BY p.rowid";
--- a/htdocs/projet/commandes.php
+++ b/htdocs/projet/commandes.php
@ -36,6 +36,18 @@ $langs->load("projects");
 $langs->load("companies");
 $langs->load("orders");
 $user->getrights('projet');
 if (!$user->rights->projet->lire) accessforbidden();
 /*
 * Sécurité accés client
 */
 if ($user->societe_id > 0) 
 {
  $socidp = $user->societe_id;
 }
 llxHeader("","../");
--- a/htdocs/projet/facture.php
+++ b/htdocs/projet/facture.php
@ -39,8 +39,36 @@ $langs->load("bills");
 $user->getrights('projet');
-if (!$user->rights->projet->lire)
+if (!$user->rights->projet->lire) accessforbidden();
-  accessforbidden();
+
 /*
 * Sécurité accés client
 */
 $projetid='';
 if ($_GET["id"]) { $projetid=$_GET["id"]; }
 if ($projetid == '') accessforbidden();
 $socidp = 0
 if ($user->societe_id > 0) 
 {
  $socidp = $user->societe_id;
 }
 // Protection restriction commercial
 if (!$user->rights->commercial->client->voir && $projetid && !$user->societe_id > 0)
 {
        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
        $sql .= " WHERE p.rowid = ".$projetid." AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
        if ( $db->query($sql) )
        {
          if ( $db->num_rows() == 0) accessforbidden();
        }
 }
 llxHeader("","../");
--- a/htdocs/projet/index.php
+++ b/htdocs/projet/index.php
@ -36,7 +36,6 @@ if (!$user->rights->projet->lire) accessforbidden();
 // Sécurité accés client
 if ($user->societe_id > 0) 
 {
  $action = '';
  $socidp = $user->societe_id;
 }
--- a/htdocs/projet/propal.php
+++ b/htdocs/projet/propal.php
@ -37,6 +37,18 @@ $langs->load("projects");
 $langs->load("companies");
 $langs->load("propal");
 $user->getrights('projet');
 if (!$user->rights->projet->lire) accessforbidden();
 /*
 * Sécurité accés client
 */
 if ($user->societe_id > 0) 
 {
  $socidp = $user->societe_id;
 }
 llxHeader("","../");
--- a/htdocs/projet/tasks/fiche.php
+++ b/htdocs/projet/tasks/fiche.php
@ -29,8 +29,19 @@
 require("./pre.inc.php");
 $user->getrights('projet');
 if (!$user->rights->projet->lire) accessforbidden();
 /*
 * Sécurité accés client
 */
 if ($user->societe_id > 0) 
 {
  $action = '';
  $socidp = $user->societe_id;
 }
 Function PLines(&$inc, $parent, $lines, &$level, $actors)
 {
  $form = new Form($db); // $db est null ici mais inutile pour la fonction select_date()