From 5da8b4081217fd15199d22c5b3c6ec7f9bff6f79 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Sun, 29 Nov 2009 19:05:22 +0000
Subject: [PATCH] Fix: Project not linked to companies must be visible.

---
 htdocs/lib/functions.lib.php | 39 +++++++++++++++++++-----------------
 htdocs/projet/liste.php      |  7 +++----
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index 9c237dcea88..9dc5922c8b6 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -1640,8 +1640,11 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 		{
 			$sql='';
 
-			$check = array('user','usergroup','produit','service','produit|service');
-			$nocheck = array('categorie','barcode','stock','fournisseur');
+			$check = array('user','usergroup','produit','service','produit|service'); // Test on entity only (Objects with no link to company)
+			$checksoc = array('societe');	// Test for societe object
+			$checkother = array('contact','projet');	// Test on entity and link to societe. Allowed if link is empty (Ex: contacts, projects...).
+			// Others: Test on entity and link to societe. Not allowed if link is empty (Ex: invoice, orders...).
+			$nocheck = array('categorie','barcode','stock','fournisseur');	// No test
 
 			// If dbtable not defined, we use same name for table than module name
 			if (empty($dbtablename)) $dbtablename = $feature;
@@ -1654,7 +1657,7 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 				$sql.= " WHERE dbt.".$dbt_select." = ".$objectid;
 				$sql.= " AND dbt.entity IN (0,".$conf->entity.")";
 			}
-			else if ($feature == 'societe')
+			else if (in_array($feature,$checksoc))
 			{
 				// If external user: Check permission for external users
 				if ($user->societe_id > 0)
@@ -1681,33 +1684,33 @@ function restrictedArea($user, $features='societe', $objectid=0, $dbtablename=''
 					$sql.= " AND s.entity = ".$conf->entity;
 				}
 			}
-			else if ($feature == 'contact')
+			else if (in_array($feature,$checkother))
 			{
 				// If external user: Check permission for external users
 				if ($user->societe_id > 0)
 				{
-					$sql = "SELECT sp.rowid";
-					$sql.= " FROM ".MAIN_DB_PREFIX."socpeople as sp";
-					$sql.= " WHERE sp.rowid = ".$objectid;
-					$sql.= " AND sp.fk_soc = ".$user->societe_id;
+					$sql = "SELECT dbt.rowid";
+					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+					$sql.= " WHERE dbt.rowid = ".$objectid;
+					$sql.= " AND dbt.fk_soc = ".$user->societe_id;
 				}
 				// If internal user: Check permission for internal users that are restricted on their objects
 				else if (! $user->rights->societe->client->voir)
 				{
-					$sql = "SELECT sp.rowid";
-					$sql.= " FROM ".MAIN_DB_PREFIX."socpeople as sp";
-					$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sp.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
-					$sql.= " WHERE sp.rowid = ".$objectid;
-					$sql.= " AND (sp.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)";	// Contact not linked to a company or to a company of user
-					$sql.= " AND sp.entity = ".$conf->entity;
+					$sql = "SELECT dbt.rowid";
+					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+					$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
+					$sql.= " WHERE dbt.rowid = ".$objectid;
+					$sql.= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)";	// Contact not linked to a company or to a company of user
+					$sql.= " AND dbt.entity = ".$conf->entity;
 				}
 				// If multicompany and internal users with all permissions, check user is in correct entity
 				else if ($conf->global->MAIN_MODULE_MULTICOMPANY)
 				{
-					$sql = "SELECT sp.rowid";
-					$sql.= " FROM ".MAIN_DB_PREFIX."socpeople as sp";
-					$sql.= " WHERE sp.rowid = ".$objectid;
-					$sql.= " AND sp.entity = ".$conf->entity;
+					$sql = "SELECT dbt.rowid";
+					$sql.= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
+					$sql.= " WHERE dbt.rowid = ".$objectid;
+					$sql.= " AND dbt.entity = ".$conf->entity;
 				}
 			}
 			else if (!in_array($feature,$nocheck))
diff --git a/htdocs/projet/liste.php b/htdocs/projet/liste.php
index 04c4aa13f80..b49765cb61a 100644
--- a/htdocs/projet/liste.php
+++ b/htdocs/projet/liste.php
@@ -72,14 +72,13 @@ $staticsoc=new Societe($db);
 $sql = "SELECT p.rowid as projectid, p.ref, p.title, ".$db->pdate("p.dateo")." as do, p.fk_user_resp,";
 $sql.= " u.login,";
 $sql.= " s.nom, s.rowid as socid, s.client";
-$sql.= " FROM (".MAIN_DB_PREFIX."projet as p";
-if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
-$sql.= ")";
+$sql.= " FROM ".MAIN_DB_PREFIX."projet as p";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."user as u on p.fk_user_resp = u.rowid";
+if (!$user->rights->societe->client->voir && !$socid) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON p.fk_soc = sc.fk_soc AND sc.fk_user = ".$user->id;
 $sql.= " WHERE p.entity = ".$conf->entity;
 if ($_REQUEST["mode"]=='mine') $sql.=' AND p.fk_user_resp='.$user->id;
-if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
+if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND (p.fk_soc IS NULL or sc.fk_soc IS NOT NULL)";
 if ($socid)	$sql.= " AND s.rowid = ".$socid;
 
 if ($_GET["search_ref"])