From 523d09536c4e710db05daee7e2a8d168f6cdebbb Mon Sep 17 00:00:00 2001
From: gauthier <gauthier.verdol@atm-consulting.fr>
Date: Mon, 17 Feb 2020 12:20:19 +0100
Subject: [PATCH 1/5] FIX : must be == and not =

---
 htdocs/product/card.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/product/card.php b/htdocs/product/card.php
index 565cb6f7565..ebf9c093c02 100644
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@@ -1174,7 +1174,7 @@ else
 			// Accountancy_code_sell
 			print '<tr><td class="titlefieldcreate">'.$langs->trans("ProductAccountancySellCode").'</td>';
 			print '<td>';
-            if($type = 0) {
+            if($type == 0) {
                 $accountancy_code_sell = (GETPOST('accountancy_code_sell', 'alpha')?(GETPOST('accountancy_code_sell', 'alpha')):$conf->global->ACCOUNTING_PRODUCT_SOLD_ACCOUNT);
             } else {
                 $accountancy_code_sell = (GETPOST('accountancy_code_sell', 'alpha')?(GETPOST('accountancy_code_sell', 'alpha')):$conf->global->ACCOUNTING_SERVICE_SOLD_ACCOUNT);

From a5de331410edfdc3844c596ce1381f2c3041fa0e Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Mon, 17 Feb 2020 19:13:37 +0100
Subject: [PATCH 2/5] FIX Multicompany compatibility

---
 htdocs/fourn/commande/index.php | 34 +++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php
index 6c2b66bc7f3..39855ea7500 100644
--- a/htdocs/fourn/commande/index.php
+++ b/htdocs/fourn/commande/index.php
@@ -157,12 +157,12 @@ else
  *	  Reason: Show all Status and give the possibility to filter only one
  */
 
-$sql = "SELECT count(cf.rowid), fk_statut";
+$sql = "SELECT count(cf.rowid), cf.fk_statut";
 $sql.= " FROM ".MAIN_DB_PREFIX."societe as s";
 $sql.= ", ".MAIN_DB_PREFIX."commande_fournisseur as cf";
 if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
 $sql.= " WHERE cf.fk_soc = s.rowid";
-$sql.= " AND s.entity = ".$conf->entity;
+$sql.= " AND cf.entity IN (".getEntity("supplier_order").")"; // Thirdparty sharing is mandatory with supplier order sharing
 if ($user->societe_id) $sql.=' AND cf.fk_soc = '.$user->societe_id;
 if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 $sql.= " GROUP BY cf.fk_statut";
@@ -210,7 +210,7 @@ if (! empty($conf->fournisseur->enabled))
 	$sql.= ", ".MAIN_DB_PREFIX."societe as s";
 	if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
 	$sql.= " WHERE c.fk_soc = s.rowid";
-	$sql.= " AND c.entity = ".$conf->entity;
+	$sql.= " AND c.entity IN (".getEntity("supplier_order").")"; // Thirdparty sharing is mandatory with supplier order sharing
 	$sql.= " AND c.fk_statut = 0";
 	if (! empty($socid)) $sql.= " AND c.fk_soc = ".$socid;
 	if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
@@ -245,13 +245,27 @@ if (! empty($conf->fournisseur->enabled))
 /*
  * List of users allowed
  */
-$sql = "SELECT u.rowid, u.lastname, u.firstname, u.email";
-$sql.= " FROM ".MAIN_DB_PREFIX."user as u,";
-$sql.= " ".MAIN_DB_PREFIX."user_rights as ur";
-$sql.= ", ".MAIN_DB_PREFIX."rights_def as rd";
-$sql.= " WHERE u.rowid = ur.fk_user";
-$sql.= " AND (u.entity IN (0,".$conf->entity.")";
-$sql.= " AND rd.entity = ".$conf->entity.")";
+$sql = "SELECT";
+if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
+	$sql .= " DISTINCT";
+}
+$sql.= " u.rowid, u.lastname, u.firstname, u.email";
+$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
+$sql.= ",".MAIN_DB_PREFIX."user_rights as ur";
+$sql.= ",".MAIN_DB_PREFIX."rights_def as rd";
+if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE))
+{
+	$sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug";
+	$sql.= " WHERE ((ug.fk_user = u.rowid";
+	$sql.= " AND ug.entity IN (".getEntity('usergroup')."))";
+	$sql.= " OR u.entity = 0)"; // Show always superadmin
+}
+else
+{
+	$sql.= " WHERE (u.entity IN (".getEntity('user').")";
+	$sql.= " AND ur.entity = ".$conf->entity.")";
+}
+$sql.= " AND u.rowid = ur.fk_user";
 $sql.= " AND ur.fk_id = rd.id";
 $sql.= " AND module = 'fournisseur'";
 $sql.= " AND perms = 'commande'";

From f6f0d9d4a214aac173d64019d556b8dd9baea5f1 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 18 Feb 2020 08:35:51 +0100
Subject: [PATCH 3/5] FIX better method to check user rights AND usergroup
 rights !

---
 htdocs/fourn/commande/index.php | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php
index 39855ea7500..1c4e0aad9e4 100644
--- a/htdocs/fourn/commande/index.php
+++ b/htdocs/fourn/commande/index.php
@@ -251,8 +251,6 @@ if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY
 }
 $sql.= " u.rowid, u.lastname, u.firstname, u.email";
 $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
-$sql.= ",".MAIN_DB_PREFIX."user_rights as ur";
-$sql.= ",".MAIN_DB_PREFIX."rights_def as rd";
 if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE))
 {
 	$sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug";
@@ -263,13 +261,7 @@ if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY
 else
 {
 	$sql.= " WHERE (u.entity IN (".getEntity('user').")";
-	$sql.= " AND ur.entity = ".$conf->entity.")";
 }
-$sql.= " AND u.rowid = ur.fk_user";
-$sql.= " AND ur.fk_id = rd.id";
-$sql.= " AND module = 'fournisseur'";
-$sql.= " AND perms = 'commande'";
-$sql.= " AND subperms = 'approuver'";
 
 $resql = $db->query($sql);
 if ($resql)
@@ -285,15 +277,22 @@ if ($resql)
 	{
 		$obj = $db->fetch_object($resql);
 
-		print '<tr class="oddeven">';
-		print '<td>';
-		$userstatic->id=$obj->rowid;
-		$userstatic->lastname=$obj->lastname;
-		$userstatic->firstname=$obj->firstname;
-		$userstatic->email=$obj->email;
-		print $userstatic->getNomUrl(1);
-		print '</td>';
-		print "</tr>\n";
+		$userstatic = new User($db);
+		$userstatic->id = $obj->rowid;
+		$userstatic->getrights('fournisseur');
+
+		if (! empty($userstatic->rights->fournisseur->commande->approuver))
+		{
+			print '<tr class="oddeven">';
+			print '<td>';
+			$userstatic->lastname = $obj->lastname;
+			$userstatic->firstname = $obj->firstname;
+			$userstatic->email = $obj->email;
+			print $userstatic->getNomUrl(1);
+			print '</td>';
+			print "</tr>\n";
+		}
+
 		$i++;
 	}
 	print "</table><br>";

From 4511cf1060b59d04facb934654e7394d28455ad8 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 18 Feb 2020 09:03:25 +0100
Subject: [PATCH 4/5] FIX missing "statut" for getNomUrl() function

---
 htdocs/fourn/commande/index.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php
index 1c4e0aad9e4..01af73cb76e 100644
--- a/htdocs/fourn/commande/index.php
+++ b/htdocs/fourn/commande/index.php
@@ -249,7 +249,7 @@ $sql = "SELECT";
 if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
 	$sql .= " DISTINCT";
 }
-$sql.= " u.rowid, u.lastname, u.firstname, u.email";
+$sql.= " u.rowid, u.lastname, u.firstname, u.email, u.statut";
 $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
 if (! empty($conf->multicompany->enabled) && ! empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE))
 {
@@ -288,6 +288,7 @@ if ($resql)
 			$userstatic->lastname = $obj->lastname;
 			$userstatic->firstname = $obj->firstname;
 			$userstatic->email = $obj->email;
+			$userstatic->statut = $obj->statut;
 			print $userstatic->getNomUrl(1);
 			print '</td>';
 			print "</tr>\n";

From 110a23623bab0f8f6c60e6614ba914e7421ee661 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 18 Feb 2020 11:04:11 +0100
Subject: [PATCH 5/5] FIX an external user can not approved

---
 htdocs/fourn/commande/index.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php
index 01af73cb76e..50a9150a9a1 100644
--- a/htdocs/fourn/commande/index.php
+++ b/htdocs/fourn/commande/index.php
@@ -262,6 +262,7 @@ else
 {
 	$sql.= " WHERE (u.entity IN (".getEntity('user').")";
 }
+$sql.= " AND u.fk_soc IS NULL"; // An external user can not approved
 
 $resql = $db->query($sql);
 if ($resql)