lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: Maxi debug of project permissions

Browse Source
This commit is contained in:
Laurent Destailleur 2010-09-18 13:38:43 +00:00
parent deac363171
commit 47288c77da
9 changed files with 140 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/includes/modules/facture/pdf_crabe.modules.php
View File

@ -220,12 +220,16 @@ class pdf_crabe extends ModelePDFFactures
$pdf->SetFont('','', 9);
$pdf->SetXY ($this->posxdesc-1, $tab_top);
$pdf->MultiCell(190, 3, $outputlangs->convToOutputCharset($object->note_public), 0, 'J');
//$pdf->MultiCell(190, 3, $outputlangs->convToOutputCharset($object->note_public), 0, 'J', false, 1, '', '', true, 0, false, false, 0, 'T', true);
$pdf->MultiCell(190, 3, $outputlangs->convToOutputCharset($object->note_public), 0, 'J', false); // FPDF
$nexY = $pdf->GetY();
$height_note=$nexY-$tab_top;
// Rect prend une longueur en 3eme param
$pdf->SetDrawColor(192,192,192);
//print $pdf->getStringHeight(200,'SPECIMEN',false,false);
//print "$this->marge_gauche, $tab_top-1, $this->page_largeur-$this->marge_gauche-$this->marge_droite, $height_note+1";exit;
$pdf->Rect($this->marge_gauche, $tab_top-1, $this->page_largeur-$this->marge_gauche-$this->marge_droite, $height_note+1);
$tab_height = $tab_height - $height_note;

22
htdocs/lib/functions.lib.php
View File

@ -1604,6 +1604,10 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
{
if (! $user->rights->ecm->download) $readok=0;
}
else if ($feature == 'projet')
{
if (! $user->rights->projet->lire && ! $user->rights->projet->all->lire) $readok=0;
}
else if (! empty($feature2)) // This should be used for future changes
{
if (empty($user->rights->$feature->$feature2->lire)
@ -1684,10 +1688,11 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
$sql='';
$check = array('user','usergroup','produit','service','produit|service'); // Test on entity only (Objects with no link to company)
$checksoc = array('societe'); // Test for societe object
$checkother = array('contact','projet'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts, projects...).
// Others: Test on entity and link to societe. Not allowed if link is empty (Ex: invoice, orders...).
$checksoc = array('societe'); // Test for societe object
$checkother = array('contact'); // Test on entity and link to societe. Allowed if link is empty (Ex: contacts...).
$checkproject = array('projet'); // Test for project object
$nocheck = array('categorie','barcode','stock','fournisseur'); // No test
$checkdefault = 'all other not already defined'; // Test on entity and link to societe. Not allowed if link is empty (Ex: invoice, orders...).
// If dbtable not defined, we use same name for table than module name
if (empty($dbtablename)) $dbtablename = $feature;
@ -1756,6 +1761,17 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
$sql.= " AND dbt.entity = ".$conf->entity;
}
}
else if (in_array($feature,$checkproject))
{
if (! $user->rights->projet->all->lire)
{
include_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
$projectstatic=new Project($db);
$tmps=$projectstatic->getProjectsAuthorizedForUser($user,0,1,$user->societe_id);
$tmparray=explode(',',$tmps);
if (! in_array($objectid,$tmparray)) accessforbidden();
}
}
else if (!in_array($feature,$nocheck))
{
// If external user: Check permission for external users

70
htdocs/lib/project.lib.php
View File

@ -266,9 +266,10 @@ function select_projects($socid=-1, $selected='', $htmlname='projectid')
* @param $lines
* @param $level
* @param $projectsrole
* @param $mytask 0 or 1 to enable only if task is a task i am affected to
* @return $inc
*/
function PLinesb(&$inc, $parent, $lines, &$level, &$projectsrole)
function PLinesb(&$inc, $parent, $lines, &$level, &$projectsrole, &$tasksrole, $mytask=0)
{
global $user, $bc, $langs;
global $form;
@ -327,19 +328,29 @@ function PLinesb(&$inc, $parent, $lines, &$level, &$projectsrole)
else print '--:--';
print "</td>\n";
$disabled=1;
$disabledproject=1;$disabledtask=1;
//print "x".$lines[$i]->fk_project;
//var_dump($lines[$i]);
//var_dump($projectsrole[$lines[$i]->fk_project]);
// If at least one role for project
if ($lines[$i]->public || ! empty($projectsrole[$lines[$i]->fk_project]) || $user->rights->projet->all->creer) $disabled=0;
if ($lines[$i]->public || ! empty($projectsrole[$lines[$i]->fk_project]) || $user->rights->projet->all->creer)
{
$disabledproject=0;
$disabledtask=0;
}
// If mytask and no role on task
if ($mytask && empty($tasksrole[$lines[$i]->id]))
{
$disabledtask=1;
}
print '<td nowrap="nowrap">';
print $form->select_date('',$lines[$i]->id,'','','',"addtime",1,0,1,$disabled);
print $form->select_date('',$lines[$i]->id,'','','',"addtime",1,0,1,$disabledtask);
print '&nbsp;&nbsp;&nbsp;';
print $form->select_duration($lines[$i]->id,'',$disabled);
print '&nbsp;<input type="submit" class="button"'.($disabled?' disabled="true"':'').' value="'.$langs->trans("Add").'">';
if ((! $lines[$i]->public) && $disabled) print '('.$langs->trans("YouAreNotContactOfProject").')';
print $form->select_duration($lines[$i]->id,'',$disabledtask);
print '&nbsp;<input type="submit" class="button"'.($disabledtask?' disabled="true"':'').' value="'.$langs->trans("Add").'">';
if ($disabledtask) print '('.$langs->trans("TaskIsNotAffectedToYou").')';
if ((! $lines[$i]->public) && $disabledproject) print '('.$langs->trans("YouAreNotContactOfProject").')';
print '</td>';
print "<td>&nbsp;";
print '</td>';
@ -347,7 +358,7 @@ function PLinesb(&$inc, $parent, $lines, &$level, &$projectsrole)
print "</tr>\n";
$inc++;
$level++;
if ($lines[$i]->id) PLinesb($inc, $lines[$i]->id, $lines, $level, $projectsrole);
if ($lines[$i]->id) PLinesb($inc, $lines[$i]->id, $lines, $level, $projectsrole, $tasksrole, $mytask);
$level--;
}
else
@ -541,8 +552,8 @@ function SearchTaskInChild(&$inc, $parent, &$lines, &$taskrole)
/**
* Clean task not linked to a parent
* @param unknown_type $db
* @return int Nb of records deleted
* @param $db Database handler
* @return int Nb of records deleted
*/
function clean_orphelins($db)
{
@ -598,12 +609,13 @@ function clean_orphelins($db)
/**
* Return HTML table with list of projects and number of opened tasks
*
* @param unknown_type $db
* @param unknown_type $mine
* @param unknown_type $socid
* @param unknown_type $projectsListId
* @param $db
* @param $mine Limited to project i am contact to
* @param $socid
* @param $projectsListId
* @param $mytasks Limited to task i am contact to
*/
function print_projecttasks_array($db,$mine,$socid,$projectsListId)
function print_projecttasks_array($db, $mine, $socid, $projectsListId, $mytasks=0)
{
global $langs,$conf,$user,$bc;
@ -623,11 +635,29 @@ function print_projecttasks_array($db,$mine,$socid,$projectsListId)
$sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_user_creat, p.public, p.fk_statut, COUNT(t.rowid) as nb";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet";
if ($mytasks)
{
$sql.= ", ".MAIN_DB_PREFIX."projet_task as t";
$sql.= ", ".MAIN_DB_PREFIX."element_contact as ec";
$sql.= ", ".MAIN_DB_PREFIX."c_type_contact as ctc";
}
else
{
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet";
}
$sql.= " WHERE p.entity = ".$conf->entity;
if ($mine) $sql.= " AND p.rowid IN (".$projectsListId.")";
if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
$sql.= " GROUP BY p.rowid, p.ref, p.title, p.fk_user_creat, p.public, p.fk_statut";
if (! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsListId.")";
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($mytasks)
{
$sql.= " AND p.rowid = t.fk_projet";
$sql.= " AND ec.element_id = t.rowid";
$sql.= " AND ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = 'project_task'";
$sql.= " AND ec.fk_socpeople = ".$user->id;
}
$sql.= " GROUP BY p.rowid, p.ref, p.title, p.fk_user_creat, p.public, p.fk_statut";
$var=true;
$resql = $db->query($sql);
@ -644,8 +674,8 @@ function print_projecttasks_array($db,$mine,$socid,$projectsListId)
$projectstatic->user_author_id = $objp->fk_user_creat;
$projectstatic->public = $objp->public;
// Check is user has read permission on project
$userAccess = $projectstatic->restrictedProjectArea($user,1);
if ($userAccess >= 0)
{
$var=!$var;

11
htdocs/projet/activity/index.php
View File

@ -49,8 +49,8 @@ $langs->load("projects");
$now = dol_now();
$projectstatic=new Project($db);
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1);
//$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1);
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1); // Return all project i have permission on. I want my tasks and some of my task may be on a public projet that is not my project
$title=$langs->trans("Activities");
if ($mine) $title=$langs->trans("MyActivities");
@ -69,8 +69,7 @@ else
print '<table border="0" width="100%" class="notopnoleftnoright">';
print '<tr><td width="30%" valign="top" class="notopnoleft">';
print_projecttasks_array($db,$mine,$socid,$projectsListId);
print_projecttasks_array($db,0,$socid,$projectsListId,$mine);
/* Affichage de la liste des projets d'aujourd'hui */
@ -80,7 +79,7 @@ print '<td width="50%">'.$langs->trans('Today').'</td>';
print '<td width="50%" align="right">'.$langs->trans("Time").'</td>';
print "</tr>\n";
$sql = "SELECT p.rowid, p.ref, p.title, sum(tt.task_duration) as nb";
$sql = "SELECT p.rowid, p.ref, p.title, SUM(tt.task_duration) as nb";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= ", ".MAIN_DB_PREFIX."projet_task as t";
$sql.= ", ".MAIN_DB_PREFIX."projet_task_time as tt";
@ -90,7 +89,7 @@ $sql.= " AND tt.fk_task = t.rowid";
$sql.= " AND tt.fk_user = ".$user->id;
$sql.= " AND date_format(task_date,'%d%m%y') = ".strftime("%d%m%y",time());
$sql.= " AND p.rowid in ('".$projectsListId."')";
$sql.= " GROUP BY p.rowid";
$sql.= " GROUP BY p.rowid, p.ref, p.title";
$resql = $db->query($sql);
if ( $resql )

27
htdocs/projet/activity/list.php
View File

@ -35,6 +35,9 @@ $langs->load('projects');
$mode=$_REQUEST["mode"];
$mine=0;
if ($mode == 'mine') $mine=1;
$projectid='';
$projectid=isset($_GET["id"])?$_GET["id"]:$_POST["projectid"];
@ -98,14 +101,18 @@ if ($_POST["action"] == 'addtime' && $user->rights->projet->creer)
*/
$form=new Form($db);
$projectstatic=new Project($db);
$project = new Project($db);
$taskstatic = new Task($db);
$title=$langs->trans("TimeSpent");
if ($mode == 'mine') $title=$langs->trans("MyTimeSpent");
if ($mine) $title=$langs->trans("MyTimeSpent");
llxHeader("",$title,"");
$project = new Project($db);
$task = new Task($db);
//$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1);
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1); // Return all project i have permission on. I want my tasks and some of my task may be on a public projet that is not my project
if ($_GET["id"])
{
@ -113,14 +120,18 @@ if ($_GET["id"])
$project->societe->fetch($project->societe->id);
}
$tasksarray=$taskstatic->getTasksArray(0,0,($project->id?$project->id:$projectsListId),$socid,0); // We want to see all task of project i am allowed to see, not only mine. Later only mine will be editable later.
$projectsrole=$taskstatic->getUserRolesForProjectsOrTasks($user,0,($project->id?$project->id:$projectsListId),0);
$tasksrole=$taskstatic->getUserRolesForProjectsOrTasks(0,$user,($project->id?$project->id:$projectsListId),0);
//var_dump($tasksarray);
//var_dump($projectsrole);
//var_dump($taskrole);
print_barre_liste($title, $page, $_SERVER["PHP_SELF"], "", $sortfield, $sortorder, "", $num);
if ($mesg) print $mesg;
$tasksarray=$task->getTasksArray(0,0,$project->id,$socid);
$projectsrole=$task->getUserRolesForProjectsOrTasks($user,0,$project->id,0);
//var_dump($tasksarray);
//var_dump($projectsrole);
print '<form name="addtime" method="POST" action="'.$_SERVER["PHP_SELF"].'?id='.$project->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
@ -134,7 +145,7 @@ print '<td>'.$langs->trans("LabelTask").'</td>';
print '<td align="right">'.$langs->trans("TimeSpent").'</td>';
print '<td colspan="2">'.$langs->trans("AddDuration").'</td>';
print "</tr>\n";
PLinesb($j, 0, $tasksarray, $level, $projectsrole);
PLinesb($j, 0, $tasksarray, $level, $projectsrole, $tasksrole, $mine);
print '</form>';

39
htdocs/projet/class/project.class.php
View File

@ -699,7 +699,7 @@ class Project extends CommonObject
}
/**
* \brief Check permissions
* \brief Check if user has read permission on project
* @param user Object user to evaluate
* @param noprint 0=Print forbidden message if no permission, 1=Return -1 if no permission
*/
@ -758,7 +758,7 @@ class Project extends CommonObject
}
/**
* Return array of projects affected to a user, authorized to a user, or all projects
* Return array of projects a user has permission on, is affected to, or all projects
*
* @param user User object
* @param mode 0=All project I have permission on, 1=Affected to me only, 2=Will return list of all projects
@ -775,23 +775,17 @@ class Project extends CommonObject
$sql = "SELECT DISTINCT p.rowid, p.ref";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= ", ".MAIN_DB_PREFIX."element_contact as ec";
$sql.= ", ".MAIN_DB_PREFIX."c_type_contact as ctc";
if ($mode == 0 || $mode == 1)
{
$sql.= ", ".MAIN_DB_PREFIX."element_contact as ec";
$sql.= ", ".MAIN_DB_PREFIX."c_type_contact as ctc";
}
$sql.= " WHERE p.entity = ".$conf->entity;
if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
// Internal users must see project he is contact to even if project linked to a third party he can't see.
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($mode == 2)
{
// No filter. Use this if user has permission to see all project
}
if ($mode == 1)
{
$sql.= " AND ec.element_id = p.rowid";
$sql.= " AND ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '".$this->element."'";
$sql.= " AND ec.fk_socpeople = ".$user->id;
}
if ($mode == 0)
if ($mode == 0)
{
$sql.= " AND ( p.public = 1";
//$sql.= " OR p.fk_user_creat = ".$user->id;
@ -800,6 +794,17 @@ class Project extends CommonObject
$sql.= " AND ctc.element = '".$this->element."'";
$sql.= " AND ec.fk_socpeople = ".$user->id." ) )";
}
if ($mode == 1)
{
$sql.= " AND ec.element_id = p.rowid";
$sql.= " AND ctc.rowid = ec.fk_c_type_contact";
$sql.= " AND ctc.element = '".$this->element."'";
$sql.= " AND ec.fk_socpeople = ".$user->id;
}
if ($mode == 2)
{
// No filter. Use this if user has permission to see all project
}
$resql = $this->db->query($sql);
if ($resql)

25
htdocs/projet/class/task.class.php
View File

@ -333,7 +333,7 @@ class Task extends CommonObject
return 0;
}
}
// Delete rang of line
//$this->delRangOfLine($this->id, $this->element);
@ -478,7 +478,7 @@ class Task extends CommonObject
$sql.= " WHERE t.fk_projet = p.rowid";
$sql.= " AND p.entity = ".$conf->entity;
if ($socid) $sql.= " AND p.fk_soc = ".$socid;
if ($projectid) $sql.= " AND p.rowid =".$projectid;
if ($projectid) $sql.= " AND p.rowid in (".$projectid.")";
}
if ($mode == 1)
{
@ -486,7 +486,7 @@ class Task extends CommonObject
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t on t.fk_projet = p.rowid";
$sql.= " WHERE p.entity = ".$conf->entity;
if ($socid) $sql.= " AND p.fk_soc = ".$socid;
if ($projectid) $sql.= " AND p.rowid =".$projectid;
if ($projectid) $sql.= " AND p.rowid in (".$projectid.")";
}
$sql.= " ORDER BY p.ref, t.label";
@ -504,7 +504,7 @@ class Task extends CommonObject
$obj = $this->db->fetch_object($resql);
if ((! $obj->public) && (is_object($userp))) // If not public and we ask a filter on project owned by a user
if ((! $obj->public) && (is_object($userp))) // If not public project and we ask a filter on project owned by a user
{
if (! $this->getUserRolesForProjectsOrTasks($userp, 0, $obj->projectid, 0))
{
@ -552,14 +552,13 @@ class Task extends CommonObject
* Return list of roles for a user for each projects or each tasks (or a particular project or task)
* @param userp Return roles on project for this internal user (task id can't be defined)
* @param usert Return roles on task for this internal user
* @param projectid Project id to filter on a project
* @param projectid Project id list separated with , to filter on project
* @param taskid Task id to filter on a task
* @return array Array (projectid => 'list of roles for project' or taskid => 'list of roles for task')
*/
function getUserRolesForProjectsOrTasks($userp,$usert,$projectid=0,$taskid=0)
function getUserRolesForProjectsOrTasks($userp,$usert,$projectid='',$taskid=0)
{
$projectsrole = array();
$tasksrole = array();
$arrayroles = array();
dol_syslog("Task::getUserRolesForProjectsOrTasks userp=".is_object($userp)." usert=".is_object($usert)." projectid=".$projectid." taskid=".$taskid);
@ -591,8 +590,8 @@ class Task extends CommonObject
$sql.= " AND ctc.source = 'internal'";
if ($projectid)
{
if ($userp) $sql.= " AND pt.rowid = ".$projectid;
if ($usert) $sql.= " AND pt.fk_projet = ".$projectid;
if ($userp) $sql.= " AND pt.rowid in (".$projectid.")";
if ($usert) $sql.= " AND pt.fk_projet in (".$projectid.")";
}
if ($taskid)
{
@ -610,8 +609,8 @@ class Task extends CommonObject
while ($i < $num)
{
$obj = $this->db->fetch_object($resql);
if (empty($projectsrole[$obj->pid])) $projectsrole[$obj->pid] = $obj->code;
else $projectsrole[$obj->pid].=','.$obj->code;
if (empty($arrayroles[$obj->pid])) $arrayroles[$obj->pid] = $obj->code;
else $arrayroles[$obj->pid].=','.$obj->code;
$i++;
}
$this->db->free($resql);
@ -621,7 +620,7 @@ class Task extends CommonObject
dol_print_error($this->db);
}
return $projectsrole;
return $arrayroles;
}

2
htdocs/projet/index.php
View File

@ -85,7 +85,7 @@ $sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
$sql.= " WHERE p.entity = ".$conf->entity;
if (! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsListId.")";
if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
$sql.= " GROUP BY s.nom, s.rowid";
$var=true;

19
htdocs/projet/liste.php
View File

@ -29,23 +29,18 @@
require("../main.inc.php");
require_once(DOL_DOCUMENT_ROOT."/projet/class/project.class.php");
if (!$user->rights->projet->lire) accessforbidden();
$socid = ( is_numeric($_GET["socid"]) ? $_GET["socid"] : 0 );
$title = $langs->trans("Projects");
// Security check
$socid=0;
$socid = (is_numeric($_GET["socid"]) ? $_GET["socid"] : 0 );
if ($user->societe_id > 0) $socid=$user->societe_id;
if ($socid > 0)
{
$soc = new Societe($db);
$soc->fetch($socid);
$title .= ' (<a href="liste.php">'.$soc->nom.'</a>)';
}
if (!$user->rights->projet->lire) accessforbidden();
$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
@ -60,6 +55,7 @@ $offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
/*
@ -71,7 +67,6 @@ llxHeader("",$langs->trans("Projects"),"EN:Module_Projects|FR:Module_Projets|ES:
$projectstatic = new Project($db);
$socstatic = new Societe($db);
$mine = $_REQUEST['mode']=='mine' ? 1 : 0;
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,$mine,1,$socid);
$sql = "SELECT p.rowid as projectid, p.ref, p.title, p.fk_statut, p.public, p.fk_user_creat";
@ -80,9 +75,10 @@ $sql.= ", s.nom, s.rowid as socid";
$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
$sql.= " WHERE p.entity = ".$conf->entity;
if ($mine) $sql.= " AND p.rowid IN (".$projectsListId.")";
//var_dump($user->rights->societe);
if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if (! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsListId.")";
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($_GET["search_ref"])
{
$sql.= " AND p.ref LIKE '%".addslashes($_GET["search_ref"])."%'";
@ -98,7 +94,6 @@ if ($_GET["search_societe"])
$sql.= $db->order($sortfield,$sortorder);
$sql.= $db->plimit($conf->liste_limit+1, $offset);
//print $sql;
$var=true;
$resql = $db->query($sql);
if ($resql)