From 8911d72be84bd64c16cf5f8fa31329185d0a2b7d Mon Sep 17 00:00:00 2001
From: Marc de Lima Lucio <marc.delimalucio@atm-consulting.fr>
Date: Tue, 30 Oct 2018 12:28:04 +0100
Subject: [PATCH 1/2] FIX: task time screen: prevent users with access to all
 project from assigning to tasks they're not allowed to do

---
 htdocs/core/class/html.formprojet.class.php | 37 ++++++++++++---------
 htdocs/projet/activity/perday.php           |  2 +-
 htdocs/projet/activity/perweek.php          |  2 +-
 3 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php
index 616355eab28..c2d8377add5 100644
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@@ -295,22 +295,29 @@ class FormProjets
 	/**
 	 *	Output a combo list with projects qualified for a third party
 	 *
-	 *	@param	int		$socid      	Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
-	 *	@param  int		$selected   	Id task preselected
-	 *	@param  string	$htmlname   	Name of HTML select
-	 *	@param	int		$maxlength		Maximum length of label
-	 *	@param	int		$option_only	Return only html options lines without the select tag
-	 *	@param	string	$show_empty		Add an empty line ('1' or string to show for empty line)
-	 *  @param	int		$discard_closed Discard closed projects (0=Keep,1=hide completely,2=Disable)
-     *  @param	int		$forcefocus		Force focus on field (works with javascript only)
-     *  @param	int		$disabled		Disabled
-	 *  @param	string	$morecss        More css added to the select component
-	 *	@return int         			Nbr of project if OK, <0 if KO
+	 *  @param	int		$socid				Id third party (-1=all, 0=only projects not linked to a third party, id=projects not linked or linked to third party id)
+	 *  @param	int		$selected			Id task preselected
+	 *  @param	string	$htmlname			Name of HTML select
+	 *  @param	int		$maxlength			Maximum length of label
+	 *  @param	int		$option_only		Return only html options lines without the select tag
+	 *  @param	string	$show_empty			Add an empty line ('1' or string to show for empty line)
+	 *  @param	int		$discard_closed		Discard closed projects (0=Keep,1=hide completely,2=Disable)
+	 *  @param	int		$forcefocus			Force focus on field (works with javascript only)
+	 *  @param	int		$disabled			Disabled
+	 *  @param	string	$morecss			More css added to the select component
+	 *  @param	User	$usertofilter		User object to use for filtering
+	 *  @param	int		$forceuserfilter	1=Force individual task user rights even if user has right to see all
+	 *  @return	int							Nbr of project if OK, <0 if KO
 	 */
-	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500')
+	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0)
 	{
 		global $user,$conf,$langs;
 
+		if(is_null($usertofilter))
+		{
+			$usertofilter = $user;
+		}
+
 		require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
 
 		$out='';
@@ -319,10 +326,10 @@ class FormProjets
 		if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true;
 
 		$projectsListId = false;
-		if (empty($user->rights->projet->all->lire))
+		if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter)
 		{
 			$projectstatic=new Project($this->db);
-			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user,0,1);
+			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1);
 		}
 
 		// Search all projects
@@ -367,7 +374,7 @@ class FormProjets
 				{
 					$obj = $this->db->fetch_object($resql);
 					// If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project.
-					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($user->rights->societe->lire))
+					if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && empty($usertofilter->rights->societe->lire))
 					{
 						// Do nothing
 					}
diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php
index b4329ac9237..b1214f0bff7 100644
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@@ -399,7 +399,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');
diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php
index 591f8b3ab6f..d18afc573e1 100644
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@@ -402,7 +402,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');

From 2fbc305683c9cacba509e4fb0a67cac4f7c98fd5 Mon Sep 17 00:00:00 2001
From: Marc de Lima Lucio <marc.delimalucio@atm-consulting.fr>
Date: Tue, 30 Oct 2018 16:00:56 +0100
Subject: [PATCH 2/2] FIX: task time screen: last fix was overkill

---
 htdocs/core/class/html.formprojet.class.php | 5 ++---
 htdocs/projet/activity/perday.php           | 2 +-
 htdocs/projet/activity/perweek.php          | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php
index c2d8377add5..cb31107c65c 100644
--- a/htdocs/core/class/html.formprojet.class.php
+++ b/htdocs/core/class/html.formprojet.class.php
@@ -306,10 +306,9 @@ class FormProjets
 	 *  @param	int		$disabled			Disabled
 	 *  @param	string	$morecss			More css added to the select component
 	 *  @param	User	$usertofilter		User object to use for filtering
-	 *  @param	int		$forceuserfilter	1=Force individual task user rights even if user has right to see all
 	 *  @return	int							Nbr of project if OK, <0 if KO
 	 */
-	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null, $forceuserfilter=0)
+	function selectTasks($socid=-1, $selected='', $htmlname='taskid', $maxlength=24, $option_only=0, $show_empty='1', $discard_closed=0, $forcefocus=0, $disabled=0, $morecss='maxwidth500', $usertofilter=null)
 	{
 		global $user,$conf,$langs;
 
@@ -326,7 +325,7 @@ class FormProjets
 		if (! empty($conf->global->PROJECT_HIDE_UNSELECTABLES)) $hideunselectables = true;
 
 		$projectsListId = false;
-		if (empty($usertofilter->rights->projet->all->lire) || $forceuserfilter)
+		if (empty($usertofilter->rights->projet->all->lire))
 		{
 			$projectstatic=new Project($this->db);
 			$projectsListId = $projectstatic->getProjectsAuthorizedForUser($usertofilter,0,1);
diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php
index b1214f0bff7..b27572790dd 100644
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@@ -399,7 +399,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');
diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php
index d18afc573e1..3d2e638849e 100644
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@@ -402,7 +402,7 @@ print '<div class="float valignmiddle">';
 $titleassigntask = $langs->trans("AssignTaskToMe");
 if ($usertoprocess->id != $user->id) $titleassigntask = $langs->trans("AssignTaskToUser", $usertoprocess->getFullName($langs));
 print '<div class="taskiddiv inline-block">';
-$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess, 1);
+$formproject->selectTasks($socid?$socid:-1, $taskid, 'taskid', 32, 0, 1, 1, 0, 0, '', $usertoprocess);
 print '</div>';
 print ' ';
 print $formcompany->selectTypeContact($object, '', 'type','internal','rowid', 0, 'maxwidth200');