From 7c9d85d091ba0d3754bc474e5e9cf47af07e3420 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 15 Jan 2019 12:18:04 +0100
Subject: [PATCH 1/4] FIX problem with multicompany transverse mode

Signed-off-by: Regis Houssin <regis.houssin@inodbox.com>
---
 htdocs/core/lib/security.lib.php | 6 +++---
 htdocs/user/card.php             | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index d2b768d75d5..d12ee339909 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -484,9 +484,9 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
 					{
 						$sql.= ",".MAIN_DB_PREFIX."usergroup_user as ug";
 						$sql.= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
-						$sql.= " AND (ug.fk_user = dbt.rowid";
-						$sql.= " AND ug.entity IN (".getEntity('user')."))";
-						$sql.= " OR dbt.entity = 0"; // Show always superadmin
+						$sql.= " AND ((ug.fk_user = dbt.rowid";
+						$sql.= " AND ug.entity IN (".getEntity('usergroup')."))";
+						$sql.= " OR dbt.entity = 0)"; // Show always superadmin
 					}
 				}
 				else {
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index f0b3fb819f2..bb3d7e7d8f6 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -84,9 +84,9 @@ $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
-if (!$canreaduser) {
-	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
-}
+
+$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+
 if ($user->id <> $id && ! $canreaduser) accessforbidden();
 
 // Load translation files required by page

From 41a38b3a0aa3308bbc73765ba8b816f1b161bd15 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@inodbox.com>
Date: Tue, 15 Jan 2019 15:44:45 +0100
Subject: [PATCH 2/4] FIX avoid php warning

Signed-off-by: Regis Houssin <regis.houssin@inodbox.com>
---
 htdocs/install/inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php
index 0a2a6866f26..0b924122ebb 100644
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@@ -196,7 +196,7 @@ if (constant('DOL_DATA_ROOT') === null) {
 }
 if (@file_exists($lockfile))
 {
-	if (! is_object($langs))
+	if (! isset($langs) || ! is_object($langs))
 	{
 		$langs = new Translate('..', $conf);
 		$langs->setDefaultLang('auto');

From adc442232398b95825e0559c894b2b0925514aba Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 15 Jan 2019 17:57:30 +0100
Subject: [PATCH 3/4] Update card.php

---
 htdocs/user/card.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index bb3d7e7d8f6..6db383ed515 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -85,7 +85,9 @@ if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
 
-$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+if (! $canreaduser) {
+	$result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
+}
 
 if ($user->id <> $id && ! $canreaduser) accessforbidden();
 

From 0d384eea008994aea4b7def68ad5f9493fa2a63d Mon Sep 17 00:00:00 2001
From: atm-quentin <quentin.vial-gouteyron@atm-consulting.fr>
Date: Wed, 16 Jan 2019 09:30:48 +0100
Subject: [PATCH 4/4] FIX credit note can have negative value

---
 htdocs/compta/facture/card.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php
index 9ad79393499..8541581fb49 100644
--- a/htdocs/compta/facture/card.php
+++ b/htdocs/compta/facture/card.php
@@ -1695,7 +1695,7 @@ if (empty($reshook))
 			setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv('Type')), null, 'errors');
 			$error++;
 		}
-		if ($prod_entry_mode == 'free' && empty($idprod) && (($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $price_ht == '') && $price_ht_devise == '') 	// Unit price can be 0 but not ''
+		if (($prod_entry_mode == 'free' && empty($idprod) && (($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $price_ht == '') && $price_ht_devise == '') && $object->type != Facture::TYPE_CREDIT_NOTE) 	// Unit price can be 0 but not ''
 		{
 			if ($price_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES))
 			{
@@ -2155,7 +2155,7 @@ if (empty($reshook))
 			setEventMessages($langs->trans('ErrorQtyForCustomerInvoiceCantBeNegative'), null, 'errors');
 			$error++;
 		}
-		if (empty($productid) && (($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $pu_ht == '') && $pu_ht_devise == '') 	// Unit price can be 0 but not ''
+		if ((empty($productid) && (($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES)) || $pu_ht == '') && $pu_ht_devise == '') && $object->type != Facture::TYPE_CREDIT_NOTE) 	// Unit price can be 0 but not ''
 		{
 			if ($pu_ht < 0 && empty($conf->global->FACTURE_ENABLE_NEGATIVE_LINES))
 			{