From 537cd574f2f8a515ba56233cdd09a6f8a606fd4a Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 21 Jun 2007 17:28:38 +0000 Subject: [PATCH] =?UTF-8?q?Fix:=20mise=20en=20fonction=20de=20la=20v=E9rif?= =?UTF-8?q?ication=20des=20droits=20d'acc=E8s=20users,=20clients=20et=20co?= =?UTF-8?q?mmerciaux?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/categories/categorie.php | 5 +++- htdocs/comm/propal.php | 50 +++++++++------------------------ htdocs/lib/functions.inc.php | 10 ++++++- 3 files changed, 27 insertions(+), 38 deletions(-) diff --git a/htdocs/categories/categorie.php b/htdocs/categories/categorie.php index 4f05646d8ae..dd06892e296 100644 --- a/htdocs/categories/categorie.php +++ b/htdocs/categories/categorie.php @@ -38,7 +38,10 @@ require_once(DOL_DOCUMENT_ROOT."/categories/categorie.class.php"); $langs->load("categories"); $langs->load("companies"); -if (!$user->rights->societe->lire) accessforbidden(); +$socid = isset($_GET["socid"])?$_GET["socid"]:''; + +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, 'societe', $socid); $mesg = ''; diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php index 37b4758021b..ec7883ce910 100644 --- a/htdocs/comm/propal.php +++ b/htdocs/comm/propal.php @@ -54,47 +54,22 @@ if (isset($_GET["msg"])) { $mesg=urldecode($_GET["mesg"]); } $year=isset($_GET["year"])?$_GET["year"]:""; $month=isset($_GET["month"])?$_GET["month"]:""; -// Sécurité accés client -$socid=''; -if ($_GET["socid"]) { $socid=$_GET["socid"]; } -if ($user->societe_id > 0) +if (isset($_GET["socid"])) { - $action = ''; - $socid = $user->societe_id; + $objectid=$_GET["socid"]; + $module='societe'; + $dbtable=''; } -if (!$user->rights->propale->lire) accessforbidden(); -if ($_GET['propalid'] > 0) +else if (isset($_GET["propalid"]) && $_GET["propalid"] > 0) { - $propal = new Propal($db); - $result=$propal->fetch($_GET['propalid']); - if (! $result > 0) - { - dolibarr_print_error($db,$propal->error); - exit; - } - // Protection restriction commercial - if ($user->societe_id > 0) - { - // Si externe, on autorise que ses propres infos - if ($propal->socid <> $user->societe_id) accessforbidden(); - } - else if (!$user->rights->commercial->client->voir) - { - // Si interne et pas les droits de voir tous les clients, on autorise que si liés - $sql = "SELECT sc.fk_soc"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE sc.fk_soc = ".$propal->socid." AND sc.fk_user = ".$user->id; - if ( $db->query($sql) ) - { - if ( $db->num_rows() == 0) - { - accessforbidden(); - } - } - } - // Fin de Protection restriction commercial + $objectid=$_GET["propalid"]; + $module='propale'; + $dbtable='propal'; } +// Sécurité d'accès client et commerciaux +$socid = restrictedArea($user, $module, $objectid, $dbtable); + // Nombre de ligne pour choix de produit/service prédéfinis $NBLINES=4; @@ -749,6 +724,9 @@ if ($_GET['propalid'] > 0) */ if ($mesg) print "$mesg
"; + + $propal = new Propal($db); + $propal->fetch($_GET['propalid']); $societe = new Societe($db); $societe->fetch($propal->socid); diff --git a/htdocs/lib/functions.inc.php b/htdocs/lib/functions.inc.php index 30c4b95c1a3..3ae93ad7764 100644 --- a/htdocs/lib/functions.inc.php +++ b/htdocs/lib/functions.inc.php @@ -1247,6 +1247,12 @@ function dol_loginfunction($notused,$pearstatus) function restrictedArea($user, $modulename, $objectid='', $dbtablename='', $list=0) { global $db; + + if (!$modulename) + { + $modulename = 'societe'; + $list = 1; + } $user->getrights($modulename); $user->getrights('commercial'); @@ -1255,7 +1261,7 @@ function dol_loginfunction($notused,$pearstatus) $nocreate = 0; //si dbtable non défini, même nom que le module - if (!$dbtable) $dbtablename = $modulename; + if (!$dbtablename) $dbtablename = $modulename; if (!$user->rights->$modulename->lire) { @@ -1275,6 +1281,8 @@ function dol_loginfunction($notused,$pearstatus) $_GET["action"] = ''; $_POST["action"] = ''; $socid = $user->societe_id; + if (!$objectid) $objectid = $socid; + if ($modulename == 'societe' && $socid <> $objectid) accessforbidden(); } if ($objectid)