Fix permissions on BOMs

2021-03-23 18:02:52 +01:00 · 2021-03-23 18:02:52 +01:00 · 5ff9038e4e
commit 5ff9038e4e
parent 3a463ac061
5 changed files with 8 additions and 6 deletions
--- a/htdocs/bom/bom_agenda.php
+++ b/htdocs/bom/bom_agenda.php
@ -86,7 +86,7 @@ if ($id > 0 || !empty($ref)) {
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
-restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft);


 /*
--- a/htdocs/bom/bom_card.php
+++ b/htdocs/bom/bom_card.php
@ -76,7 +76,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be includ
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
-$result = restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft);
+$result = restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft);

 $permissionnote = $user->rights->bom->write; // Used by the include of actions_setnotes.inc.php
 $permissiondellink = $user->rights->bom->write; // Used by the include of actions_dellink.inc.php
--- a/htdocs/bom/bom_document.php
+++ b/htdocs/bom/bom_document.php
@ -83,7 +83,7 @@ if ($id > 0 || !empty($ref)) {
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
-restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft);


 /*
--- a/htdocs/bom/bom_note.php
+++ b/htdocs/bom/bom_note.php
@ -63,7 +63,7 @@ $permissionnote = $user->rights->bom->write; // Used by the include of actions_s
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
-restrictedArea($user, 'bom', $object->id, '', '', 'fk_soc', 'rowid', $isdraft);
+restrictedArea($user, 'bom', $object->id, 'bom_bom', '', '', 'rowid', $isdraft);


 /*
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@ -552,8 +552,8 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
 	global $db, $conf;

 	//dol_syslog("functions.lib:restrictedArea $feature, $objectid, $dbtablename, $feature2, $dbt_socfield, $dbt_select, $isdraft");
-	//print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid;
-	//print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."<br>";
+	print "user_id=".$user->id.", features=".join(',', $featuresarray).", feature2=".$feature2.", objectid=".$objectid;
+	print ", tableandshare=".$tableandshare.", dbt_socfield=".$dbt_keyfield.", dbt_select=".$dbt_select."<br>";

 	// More parameters
 	$params = explode('&', $tableandshare);
@ -747,6 +747,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
 			}
 		}
+		print $sql;

 		if ($sql) {
 			$resql = $db->query($sql);
@ -756,6 +757,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
 					return false;
 				}
 			} else {
+				dol_syslog("Bad forged sql in checkUserAccessToObject", LOG_WARNING);
 				return false;
 			}
 		}