From 524f01348cbe60501ff099fbd1bf3cd0a6ba1883 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Mon, 4 May 2009 10:46:53 +0000
Subject: [PATCH] Fix: security with multi-company

---
 htdocs/product/barcode.php                    | 3 +--
 htdocs/product/document.php                   | 3 +--
 htdocs/product/fournisseurs.php               | 3 +--
 htdocs/product/photos.php                     | 3 +--
 htdocs/product/price.php                      | 3 +--
 htdocs/product/sousproduits/fiche.php         | 3 +--
 htdocs/product/stats/commande.php             | 3 +--
 htdocs/product/stats/commande_fournisseur.php | 3 +--
 htdocs/product/stats/contrat.php              | 3 +--
 htdocs/product/stats/facture.php              | 3 +--
 htdocs/product/stats/facture_fournisseur.php  | 3 +--
 htdocs/product/stats/fiche.php                | 3 +--
 htdocs/product/stats/propal.php               | 3 +--
 htdocs/product/stock/product.php              | 3 +--
 htdocs/product/traduction.php                 | 3 +--
 15 files changed, 15 insertions(+), 30 deletions(-)

diff --git a/htdocs/product/barcode.php b/htdocs/product/barcode.php
index 3a134c0ff4d..7656be6a297 100644
--- a/htdocs/product/barcode.php
+++ b/htdocs/product/barcode.php
@@ -37,9 +37,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/document.php b/htdocs/product/document.php
index b4e98d4dc68..11aeb18ab8f 100755
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@@ -42,9 +42,8 @@ $action=empty($_GET['action']) ? (empty($_POST['action']) ? '' : $_POST['action'
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php
index 68216d72359..c2d53e12573 100644
--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@@ -39,9 +39,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/photos.php b/htdocs/product/photos.php
index 176dd9c437f..cc402e5f8d3 100644
--- a/htdocs/product/photos.php
+++ b/htdocs/product/photos.php
@@ -38,9 +38,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/price.php b/htdocs/product/price.php
index 84d5264d582..e4423039a12 100644
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -38,9 +38,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/sousproduits/fiche.php b/htdocs/product/sousproduits/fiche.php
index 84faf8c04d0..2c07b47ed7a 100644
--- a/htdocs/product/sousproduits/fiche.php
+++ b/htdocs/product/sousproduits/fiche.php
@@ -39,9 +39,8 @@ $langs->load("products");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php
index 06ac36cc92f..5852a2c9c36 100644
--- a/htdocs/product/stats/commande.php
+++ b/htdocs/product/stats/commande.php
@@ -39,9 +39,8 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php
index cbadcc6764b..5f685ac77c3 100644
--- a/htdocs/product/stats/commande_fournisseur.php
+++ b/htdocs/product/stats/commande_fournisseur.php
@@ -39,9 +39,8 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php
index 443bde1c9e1..fdd9bc36c47 100644
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@@ -38,9 +38,8 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php
index 7f816108b42..737b910303e 100644
--- a/htdocs/product/stats/facture.php
+++ b/htdocs/product/stats/facture.php
@@ -39,9 +39,8 @@ $langs->load("products");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php
index 5ac6d29510c..b7132659aa9 100644
--- a/htdocs/product/stats/facture_fournisseur.php
+++ b/htdocs/product/stats/facture_fournisseur.php
@@ -40,9 +40,8 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/fiche.php b/htdocs/product/stats/fiche.php
index 624440d3f15..d4e4dee25f0 100644
--- a/htdocs/product/stats/fiche.php
+++ b/htdocs/product/stats/fiche.php
@@ -42,9 +42,8 @@ $mode=isset($_GET["mode"])?$_GET["mode"]:'byunit';
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php
index b489cfca726..c66ed9022a4 100644
--- a/htdocs/product/stats/propal.php
+++ b/htdocs/product/stats/propal.php
@@ -38,9 +38,8 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php
index 6fc6c7d9efd..d28d6c38eda 100644
--- a/htdocs/product/stock/product.php
+++ b/htdocs/product/stock/product.php
@@ -40,9 +40,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
 
diff --git a/htdocs/product/traduction.php b/htdocs/product/traduction.php
index cb4c30e6f45..d37f6bdbc62 100644
--- a/htdocs/product/traduction.php
+++ b/htdocs/product/traduction.php
@@ -39,9 +39,8 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
-
+$fieldid = isset($_GET["ref"])?'ref':'rowid';
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);