From 20e80a58a851bf33eb1cc20b4b207cd269d2380b Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Sun, 1 Apr 2018 11:43:39 +0200
Subject: [PATCH 1/6] Fix: limit access to internal users

---
 htdocs/admin/mails_templates.php        | 3 +--
 htdocs/core/menus/init_menu_auguria.sql | 2 +-
 htdocs/core/menus/standard/eldy.lib.php | 7 +++++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index 77f969181f4..915faa03c95 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -55,8 +55,7 @@ $search_lang=GETPOST('search_lang','alpha');
 $search_fk_user=GETPOST('search_fk_user','intcomma');
 $search_topic=GETPOST('search_topic','alpha');
 
-$allowed=1;
-if (! $allowed) accessforbidden();
+if ($user->socid) accessforbidden();
 
 $acts[0] = "activate";
 $acts[1] = "disable";
diff --git a/htdocs/core/menus/init_menu_auguria.sql b/htdocs/core/menus/init_menu_auguria.sql
index c2dde1c8493..f4e0918051c 100644
--- a/htdocs/core/menus/init_menu_auguria.sql
+++ b/htdocs/core/menus/init_menu_auguria.sql
@@ -311,7 +311,7 @@ insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, left
 insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->categorie->enabled', __HANDLER__, 'left', 3804__+MAX_llx_menu__, 'project', 'cat', 7__+MAX_llx_menu__, '/categories/index.php?leftmenu=cat&amp;type=6', 'Categories', 0, 'categories', '$user->rights->categorie->lire', '', 2, 4, __ENTITY__);
 insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->categorie->enabled', __HANDLER__, 'left', 3805__+MAX_llx_menu__, 'project', '', 3804__+MAX_llx_menu__, '/categories/card.php?action=create&amp;type=6', 'NewCategory', 1, 'categories', '$user->rights->categorie->creer', '', 2, 0, __ENTITY__);
 -- Tools
-insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '', __HANDLER__, 'left', 3900__+MAX_llx_menu__, 'tools', 'email_templates', 8__+MAX_llx_menu__, '/admin/mails_templates.php?leftmenu=email_templates', 'EMailTemplates', 0, '', '', '', 0, 0, __ENTITY__);
+insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', 'empty($user->socid)', __HANDLER__, 'left', 3900__+MAX_llx_menu__, 'tools', 'email_templates', 8__+MAX_llx_menu__, '/admin/mails_templates.php?leftmenu=email_templates', 'EMailTemplates', 0, '', '', '', 0, 0, __ENTITY__);
 insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->mailing->enabled', __HANDLER__, 'left', 3910__+MAX_llx_menu__, 'tools', 'mailing', 8__+MAX_llx_menu__, '/comm/mailing/index.php?leftmenu=mailing', 'EMailings', 0, 'mails', '$user->rights->mailing->lire', '', 0, 0, __ENTITY__);
 insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->mailing->enabled', __HANDLER__, 'left', 3911__+MAX_llx_menu__, 'tools', '', 3910__+MAX_llx_menu__, '/comm/mailing/card.php?leftmenu=mailing&amp;action=create', 'NewMailing', 1, 'mails', '$user->rights->mailing->creer', '', 0, 0, __ENTITY__);
 insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->mailing->enabled', __HANDLER__, 'left', 3912__+MAX_llx_menu__, 'tools', '', 3910__+MAX_llx_menu__, '/comm/mailing/list.php?leftmenu=mailing', 'List', 1, 'mails', '$user->rights->mailing->lire', '', 0, 1, __ENTITY__);
diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index fd3668aeaac..e930a0ab8b9 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -1418,8 +1418,11 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu
 		 */
 		if ($mainmenu == 'tools')
 		{
-			$langs->load("mails");
-			$newmenu->add("/admin/mails_templates.php?leftmenu=email_templates", $langs->trans("EMailTemplates"), 0, 1, '', $mainmenu, 'email_templates');
+			if (empty($user->socid)) // limit to internal users
+			{
+				$langs->load("mails");
+				$newmenu->add("/admin/mails_templates.php?leftmenu=email_templates", $langs->trans("EMailTemplates"), 0, 1, '', $mainmenu, 'email_templates');
+			}
 
 			if (! empty($conf->mailing->enabled))
 			{

From c720345e6d1af190b44552d5ae7793864ad41c4a Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Sun, 1 Apr 2018 11:47:10 +0200
Subject: [PATCH 2/6] Fix: better test

---
 htdocs/admin/mails_templates.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index 915faa03c95..fb2729bb77b 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -55,7 +55,7 @@ $search_lang=GETPOST('search_lang','alpha');
 $search_fk_user=GETPOST('search_fk_user','intcomma');
 $search_topic=GETPOST('search_topic','alpha');
 
-if ($user->socid) accessforbidden();
+if (! empty($user->socid)) accessforbidden();
 
 $acts[0] = "activate";
 $acts[1] = "disable";

From 39eab6d88d83f46278802f10a2064d03ca327003 Mon Sep 17 00:00:00 2001
From: Maxime Kohlhaas <maxime@atm-consulting.fr>
Date: Tue, 3 Apr 2018 14:38:20 +0200
Subject: [PATCH 3/6] Fix service creation, right is tested regarding the
 product type

---
 htdocs/product/card.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/htdocs/product/card.php b/htdocs/product/card.php
index f65898bda68..9db9c156bf8 100644
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@@ -94,6 +94,8 @@ if ($id > 0 || ! empty($ref))
         if (! empty($conf->product->enabled)) $upload_dirold = $conf->product->multidir_output[$object->entity].'/'.substr(substr("000".$object->id, -2),1,1).'/'.substr(substr("000".$object->id, -2),0,1).'/'.$object->id."/photos";
         else $upload_dirold = $conf->service->multidir_output[$object->entity].'/'.substr(substr("000".$object->id, -2),1,1).'/'.substr(substr("000".$object->id, -2),0,1).'/'.$object->id."/photos";
     }
+} else {
+	$object->type = $type;
 }
 
 $modulepart='product';

From 0c3b92f09ace2a565877b89a753b6fc8c89f42c2 Mon Sep 17 00:00:00 2001
From: Maxime Kohlhaas <maxime@atm-consulting.fr>
Date: Tue, 3 Apr 2018 14:53:57 +0200
Subject: [PATCH 4/6] Better fix

---
 htdocs/product/card.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/htdocs/product/card.php b/htdocs/product/card.php
index 9db9c156bf8..7ddf36f208b 100644
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@@ -77,6 +77,7 @@ $duration_unit = GETPOST('duration_unit');
 if (! empty($user->societe_id)) $socid=$user->societe_id;
 
 $object = new Product($db);
+$object->type = $type;
 $extrafields = new ExtraFields($db);
 
 // fetch optionals attributes and labels
@@ -94,8 +95,6 @@ if ($id > 0 || ! empty($ref))
         if (! empty($conf->product->enabled)) $upload_dirold = $conf->product->multidir_output[$object->entity].'/'.substr(substr("000".$object->id, -2),1,1).'/'.substr(substr("000".$object->id, -2),0,1).'/'.$object->id."/photos";
         else $upload_dirold = $conf->service->multidir_output[$object->entity].'/'.substr(substr("000".$object->id, -2),1,1).'/'.substr(substr("000".$object->id, -2),0,1).'/'.$object->id."/photos";
     }
-} else {
-	$object->type = $type;
 }
 
 $modulepart='product';

From 55719cd166ba1ec0dc8211ebcacdf9d4eb888bfa Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 5 Apr 2018 16:20:50 +0200
Subject: [PATCH 5/6] Update card.php

---
 htdocs/product/card.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/product/card.php b/htdocs/product/card.php
index 7ddf36f208b..43b4ba581a2 100644
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@@ -77,7 +77,7 @@ $duration_unit = GETPOST('duration_unit');
 if (! empty($user->societe_id)) $socid=$user->societe_id;
 
 $object = new Product($db);
-$object->type = $type;
+$object->type = $type;	// so test later to fill $usercancxxx is correct
 $extrafields = new ExtraFields($db);
 
 // fetch optionals attributes and labels

From 8cf56a5b9c44120241408041cf6a65f520ced49a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 5 Apr 2018 16:29:37 +0200
Subject: [PATCH 6/6] Fix regression

---
 htdocs/societe/class/societe.class.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index 80a7f7cc46a..e36caf49a3e 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -2592,8 +2592,6 @@ class Societe extends CommonObject
 
 			if ($res)
 			{
-				dol_include_once($file);
-
 				$classname = $conf->global->SOCIETE_CODECOMPTA_ADDON;
 				$mod = new $classname;