diff --git a/htdocs/product/agenda.php b/htdocs/product/agenda.php index bf25675865f..a03bdb22477 100644 --- a/htdocs/product/agenda.php +++ b/htdocs/product/agenda.php @@ -52,7 +52,6 @@ $ref = GETPOST('ref', 'alpha'); if ($user->socid) { $id = $user->socid; } -$result = restrictedArea($user, 'produit|service', $id, 'product&product'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -74,6 +73,8 @@ if (!$sortorder) { // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('agendathirdparty')); +$result = restrictedArea($user, 'produit|service', $id, 'product&product'); + /* * Actions diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php index b09c29f75da..c620320fafe 100644 --- a/htdocs/product/ajax/products.php +++ b/htdocs/product/ajax/products.php @@ -62,6 +62,9 @@ $alsoproductwithnosupplierprice = GETPOST('alsoproductwithnosupplierprice', 'int $warehouseStatus = GETPOST('warehousestatus', 'alpha'); $hidepriceinlabel = GETPOST('hidepriceinlabel', 'int'); +// Security check +$result = restrictedArea($user, 'produit|service', 0, 'product&product'); + /* * View @@ -216,10 +219,13 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { return; } + // Filter on product to search can be: + // Into an array with key $htmlname123 (we take first one found) + // Into a var with name $htmlname can be 'prodid', 'productid', ... $match = preg_grep('/('.$htmlname.'[0-9]+)/', array_keys($_GET)); sort($match); - $idprod = (!empty($match[0]) ? $match[0] : ''); + $idprod = (empty($match[0]) ? '' : $match[0]); // Take first param in GET with key answer if (GETPOST($htmlname, 'alpha') == '' && (!$idprod || !GETPOST($idprod, 'alpha'))) { print json_encode(array()); diff --git a/htdocs/product/document.php b/htdocs/product/document.php index c218d753d88..55cf32b7b56 100644 --- a/htdocs/product/document.php +++ b/htdocs/product/document.php @@ -52,7 +52,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productdocuments')); @@ -98,6 +97,8 @@ $modulepart = 'produit'; $permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer)); +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * Actions diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 6e3b487a429..0d5ea9647f5 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -73,7 +73,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); if (empty($user->rights->fournisseur->lire)) { accessforbidden(); @@ -114,6 +113,8 @@ if (!$sortorder) { $sortorder = "ASC"; } +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * Actions diff --git a/htdocs/product/index.php b/htdocs/product/index.php index 9cdbe85cf4b..7d5f59c1ed9 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -41,6 +41,14 @@ if ($type == '' && !$user->rights->service->lire) { $type = '0'; // Force global page on product page only } +// Load translation files required by the page +$langs->loadLangs(array('products', 'stocks')); + +// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks +$hookmanager->initHooks(array('productindex')); + +$product_static = new Product($db); + // Security check if ($type == '0') { $result = restrictedArea($user, 'produit'); @@ -50,14 +58,6 @@ if ($type == '0') { $result = restrictedArea($user, 'produit|service|expedition'); } -// Load translation files required by the page -$langs->loadLangs(array('products', 'stocks')); - -// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks -$hookmanager->initHooks(array('productindex')); - -$product_static = new Product($db); - /* * View diff --git a/htdocs/product/note.php b/htdocs/product/note.php index 348d5956588..add915181a2 100644 --- a/htdocs/product/note.php +++ b/htdocs/product/note.php @@ -43,7 +43,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); $object = new Product($db); if ($id > 0 || !empty($ref)) { @@ -52,6 +51,8 @@ if ($id > 0 || !empty($ref)) { $permissionnote = $user->rights->produit->creer; // Used by the include of actions_setnotes.inc.php +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * Actions diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index 2b84f11ac66..f23b6eae92d 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -42,7 +42,6 @@ $mode = GETPOST('mode', 'alpha') ? GETPOST('mode', 'alpha') : ''; if (!empty($user->socid)) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); @@ -61,9 +60,10 @@ $offset = $limit * $page; $pageprev = $page - 1; $pagenext = $page + 1; - $staticproduct = new Product($db); +$result = restrictedArea($user, 'produit|service', 0, 'product&product'); + /* * View diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 6647201b719..a08eaa8558b 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -68,7 +68,6 @@ $fieldtype = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) { $socid = $user->socid; } -$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); if ($id > 0 || !empty($ref)) { $object = new Product($db); @@ -83,6 +82,8 @@ if ((!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productpricecard', 'globalcard')); +$result = restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype); + /* * Actions diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index 5e0720e106c..342acb49b6e 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -35,13 +35,6 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php'; // Load translation files required by the page $langs->loadLangs(array('products', 'stocks')); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'produit|service'); - - $action = GETPOST('action', 'aZ09'); $sref = GETPOST("sref", 'alpha'); $snom = GETPOST("snom", 'alpha'); @@ -99,6 +92,10 @@ if (!empty($conf->global->STOCK_CALCULATE_ON_SHIPMENT) // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('productreassortlist')); +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'produit|service', 0, 'product&product'); /* diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index a443fe10f62..38b16cea44a 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -37,13 +37,6 @@ require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; // Load translation files required by the page $langs->loadLangs(array('products', 'stocks', 'productbatch')); -// Security check -if ($user->socid) { - $socid = $user->socid; -} -$result = restrictedArea($user, 'produit|service'); - - $action = GETPOST('action', 'aZ09'); $sref = GETPOST("sref", 'alpha'); $snom = GETPOST("snom", 'alpha'); @@ -89,6 +82,11 @@ if (!empty($canvas)) { $objcanvas->getCanvas('product', 'list', $canvas); } +// Security check +if ($user->socid) { + $socid = $user->socid; +} +$result = restrictedArea($user, 'produit|service', 0, 'product&product'); /* diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 2a5f2b84a53..68efa8e694c 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -117,6 +117,13 @@ if (!empty($canvas)) { $objcanvas->getCanvas('thirdparty', 'card', $canvas); } +$permissiontoread = $user->rights->societe->lire; +$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php +$permissiontodelete = $user->rights->societe->supprimer || ($permissiontoadd && isset($object->status) && $object->status == 0); +$permissionnote = $user->rights->societe->creer; // Used by the include of actions_setnotes.inc.php +$permissiondellink = $user->rights->societe->creer; // Used by the include of actions_dellink.inc.php +$upload_dir = $conf->societe->multidir_output[isset($object->entity) ? $object->entity : 1]; + // Security check $result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0); @@ -130,12 +137,6 @@ if ($object->id > 0) { } */ -$permissiontoread = $user->rights->societe->lire; -$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php -$permissiontodelete = $user->rights->societe->supprimer || ($permissiontoadd && isset($object->status) && $object->status == 0); -$permissionnote = $user->rights->societe->creer; // Used by the include of actions_setnotes.inc.php -$permissiondellink = $user->rights->societe->creer; // Used by the include of actions_dellink.inc.php -$upload_dir = $conf->societe->multidir_output[isset($object->entity) ? $object->entity : 1]; /*