From 3d8dc0b7e7bc7ca3385b79f25d34b35346e1fcc7 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Sat, 27 Feb 2010 17:30:17 +0000
Subject: [PATCH] Sec: Fix security permission check

---
 htdocs/expedition/liste.php | 26 +++++++++++++++-----------
 htdocs/product/index.php    | 20 +++++++++++++-------
 htdocs/product/liste.php    | 15 ++++++++-------
 3 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/htdocs/expedition/liste.php b/htdocs/expedition/liste.php
index 54a29a21dc6..59873cac539 100644
--- a/htdocs/expedition/liste.php
+++ b/htdocs/expedition/liste.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2009 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -51,11 +51,15 @@ $offset = $limit * $_GET["page"] ;
 $helpurl='EN:Module_Shipments|FR:Module_Exp&eacute;ditions|ES:M&oacute;dulo_Expediciones';
 llxHeader('',$langs->trans('ListOfSendings'),$helpurl);
 
-$sql = "SELECT e.rowid, e.ref,".$db->pdate("e.date_expedition")." as date_expedition, e.fk_statut";
+$sql = "SELECT e.rowid, e.ref, e.date_expedition, e.fk_statut";
 $sql.= ", s.nom as socname, s.rowid as socid";
 $sql.= ", ori.ref as origin_ref, ori.rowid as origin_id";
-$sql.= " FROM ".MAIN_DB_PREFIX."expedition as e";
-$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."element_element as el ON e.rowid = el.fk_target";
+$sql.= " FROM (".MAIN_DB_PREFIX."expedition as e";
+if (!$user->rights->societe->client->voir && !$socid)	// Internal user with no permission to see all
+{
+	$sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
+}
+$sql.= ") LEFT JOIN ".MAIN_DB_PREFIX."element_element as el ON e.rowid = el.fk_target";
 if ($conf->commande->enabled)
 {
 	$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."commande as ori ON el.fk_source = ori.rowid";
@@ -68,9 +72,9 @@ else
 }
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = e.fk_soc";
 $sql.= " WHERE e.entity = ".$conf->entity;
-if (!$user->rights->societe->client->voir && !$socid)
+if (!$user->rights->societe->client->voir && !$socid)	// Internal user with no permission to see all
 {
-	$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON e.fk_soc = sc.fk_soc";
+	$sql.= " AND e.fk_soc = sc.fk_soc";
 	$sql.= " AND sc.fk_user = " .$user->id;
 }
 if ($socid)
@@ -134,7 +138,7 @@ if ($resql)
     $now = time();
     $lim = 3600 * 24 * 15 ;
 
-    if ( ($now - $objp->date_expedition) > $lim && $objp->statutid == 1 )
+    if ( ($now - $db->jdate($objp->date_expedition)) > $lim && $objp->statutid == 1 )
     {
     	print "<td><b> &gt; 15 jours</b></td>";
     }
@@ -144,10 +148,10 @@ if ($resql)
     }
 
     print "<td align=\"right\">";
-    $y = dol_print_date($objp->date_expedition,"%Y");
-    $m = dol_print_date($objp->date_expedition,"%m");
-    $mt = dol_print_date($objp->date_expedition,"%b");
-    $d = dol_print_date($objp->date_expedition,"%d");
+    $y = dol_print_date($db->jdate($objp->date_expedition),"%Y");
+    $m = dol_print_date($db->jdate($objp->date_expedition),"%m");
+    $mt = dol_print_date($db->jdate($objp->date_expedition),"%b");
+    $d = dol_print_date($db->jdate($objp->date_expedition),"%d");
     print $d."\n";
     print " <a href=\"propal.php?year=$y&amp;month=$m\">";
     print $b."</a>\n";
diff --git a/htdocs/product/index.php b/htdocs/product/index.php
index b1d75d363e3..4354459a076 100644
--- a/htdocs/product/index.php
+++ b/htdocs/product/index.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2001-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2009 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -28,8 +28,14 @@
 require("./pre.inc.php");
 require_once(DOL_DOCUMENT_ROOT.'/product.class.php');
 
-if (!$user->rights->produit->lire && !$user->rights->service->lire)
-accessforbidden();
+$type=isset($_GET["type"])?$_GET["type"]:(isset($_POST["type"])?$_POST["type"]:'');
+if ($type =='' && !$user->rights->produit->lire) $type='1';	// Force global page on service page only
+if ($type =='' && !$user->rights->service->lire) $type='0';	// Force global page on prpduct page only
+
+// Security check
+if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
+else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
+else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
 
 $product_static = new Product($db);
 
@@ -130,11 +136,11 @@ if ($conf->service->enabled)
 	$statServices.= '<td><a href="liste.php?type=1&amp;envente=1">'.$langs->trans("ServicesOnSell").'</a></td><td align="right">'.round($prodser[1][1]).'</td>';
 	$statServices.= "</tr>";
 }
-if (isset($_GET["type"]) && $_GET["type"] == 0)
+if ($type == '0')
 {
 	print $statProducts;
 }
-else if (isset($_GET["type"]) && $_GET["type"] == 1)
+else if ($type == '1')
 {
 	print $statServices;
 }
@@ -165,7 +171,7 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_subproduct as sp ON p.rowid = sp.fk
 $sql.= " WHERE sp.fk_product_subproduct IS NULL";
 $sql.= " AND p.entity = ".$conf->entity;
 if ($conf->categorie->enabled && !$user->rights->categorie->voir) $sql.= " AND COALESCE(c.visible,1)=1 ";
-if (isset($_GET["type"])) $sql.= " AND p.fk_product_type = ".$_GET["type"];
+if ($type != '') $sql.= " AND p.fk_product_type = ".$type;
 $sql.= " ORDER BY p.tms DESC ";
 $sql.= $db->plimit($max,0);
 $result = $db->query($sql) ;
@@ -199,7 +205,7 @@ if ($result)
 	  	$sql.= " FROM ".MAIN_DB_PREFIX."product_lang";
 	  	$sql.= " WHERE fk_product=".$objp->rowid;
 	  	$sql.= " AND lang='". $langs->getDefaultLang() ."'";
-	  	
+
 	  	$resultd = $db->query($sql);
 	  	if ($resultd)
 	  	{
diff --git a/htdocs/product/liste.php b/htdocs/product/liste.php
index 08af1d9816d..e82ca753a7d 100644
--- a/htdocs/product/liste.php
+++ b/htdocs/product/liste.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2001-2006 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2009 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -31,11 +31,6 @@ if ($conf->categorie->enabled) require_once(DOL_DOCUMENT_ROOT."/categories/categ
 
 $langs->load("products");
 
-// Security check
-if (!$user->rights->produit->lire && !$user->rights->service->lire)
-accessforbidden();
-
-
 $sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
 $sbarcode=isset($_GET["sbarcode"])?$_GET["sbarcode"]:$_POST["sbarcode"];
 $snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
@@ -55,6 +50,12 @@ $page = $_GET["page"];
 $limit = $conf->liste_limit;
 $offset = $limit * $page ;
 
+// Security check
+if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
+else if ($type=='1') $result=restrictedArea($user,'service',$id,'service','','',$fieldid);
+else $result=restrictedArea($user,'produit|service',$id,'service','','',$fieldid);
+
+
 
 /*
  * Actions
@@ -313,7 +314,7 @@ if ($resql)
 				$sql.= " WHERE fk_product=".$objp->rowid;
 				$sql.= " AND lang='". $langs->getDefaultLang() ."'";
 				$sql.= " LIMIT 1";
-				
+
 				$result = $db->query($sql);
 				if ($result)
 				{