From 6cc20cb731dcd7c2d1e0b384d8ce1f79d4fdb7fb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 14 Dec 2013 15:21:15 +0100 Subject: [PATCH] Fix: Filter on third parties were wrong for external users. --- htdocs/comm/list.php | 13 ++++++------- htdocs/comm/prospect/list.php | 14 ++++++-------- htdocs/fourn/liste.php | 3 ++- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/htdocs/comm/list.php b/htdocs/comm/list.php index 28696228e45..5864b4b4cee 100644 --- a/htdocs/comm/list.php +++ b/htdocs/comm/list.php @@ -56,6 +56,8 @@ $search_compta=GETPOST("search_compta"); $search_sale = GETPOST("search_sale"); $search_categ = GETPOST("search_categ",'int'); $catid = GETPOST("catid",'int'); +// If the internal user must only see his customers, force searching by him +if (!$user->rights->societe->client->voir && !$socid) $search_sale = $user->id; // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array $hookmanager->initHooks(array('customerlist')); @@ -98,17 +100,15 @@ llxHeader('',$langs->trans("ThirdParty"),$help_url); $sql = "SELECT s.rowid, s.nom as name, s.client, s.zip, s.town, st.libelle as stcomm, s.prefix_comm, s.code_client, s.code_compta, s.status as status,"; $sql.= " s.datec, s.datea, s.canvas"; -// We'll need these fields in order to filter by sale (including the case where the user can only see his prospects) -if ($search_sale) $sql .= ", sc.fk_soc, sc.fk_user"; +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; if (! empty($search_categ) || ! empty($catid)) $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_societe as cs ON s.rowid = cs.fk_societe"; // We need this table joined to the select in order to filter by categ +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ", ".MAIN_DB_PREFIX."c_stcomm as st"; -// We'll need this table joined to the select in order to filter by sale -if ($search_sale || !$user->rights->societe->client->voir) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.fk_stcomm = st.id"; $sql.= " AND s.client IN (1, 3)"; $sql.= ' AND s.entity IN ('.getEntity('societe', 1).')'; -if (!$user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql.= " AND s.rowid = sc.fk_soc"; if ($socid) $sql.= " AND s.rowid = ".$socid; if ($search_sale) $sql.= " AND s.rowid = sc.fk_soc"; // Join for the needed table to filter by sale if ($catid > 0) $sql.= " AND cs.fk_categorie = ".$catid; @@ -137,8 +137,7 @@ if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) $sql.= $db->order($sortfield,$sortorder); $sql.= $db->plimit($conf->liste_limit +1, $offset); -dol_syslog('comm:list.php: sql='.$sql,LOG_DEBUG); - +dol_syslog('comm/list.php: sql='.$sql,LOG_DEBUG); $result = $db->query($sql); if ($result) { diff --git a/htdocs/comm/prospect/list.php b/htdocs/comm/prospect/list.php index 873ef051612..43a800dec76 100644 --- a/htdocs/comm/prospect/list.php +++ b/htdocs/comm/prospect/list.php @@ -141,7 +141,7 @@ else dol_print_error($db); // Load sale and categ filters $search_sale = GETPOST('search_sale'); $search_categ = GETPOST('search_categ'); -// If the user must only see his prospect, force searching by him +// If the internal user must only see his prospect, force searching by him if (!$user->rights->societe->client->voir && !$socid) $search_sale = $user->id; // List of avaible states; we'll need that for each lines (quick changing prospect states) and for search bar (filter by prospect state) @@ -176,18 +176,17 @@ $formother=new FormOther($db); $sql = "SELECT s.rowid, s.nom, s.zip, s.town, s.datec, s.datea, s.status as status,"; $sql.= " st.libelle as stcomm, s.prefix_comm, s.fk_stcomm, s.fk_prospectlevel,"; $sql.= " d.nom as departement"; -// Updated by Matelli -if ($search_sale) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql .= " FROM ".MAIN_DB_PREFIX."c_stcomm as st"; -if ($search_sale || !$user->rights->societe->client->voir) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ", ".MAIN_DB_PREFIX."societe as s"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_departements as d on (d.rowid = s.fk_departement)"; if (! empty($search_categ) || ! empty($catid)) $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_societe as cs ON s.rowid = cs.fk_societe"; // We need this table joined to the select in order to filter by categ +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= " WHERE s.fk_stcomm = st.id"; $sql.= " AND s.client IN (2, 3)"; $sql.= ' AND s.entity IN ('.getEntity('societe', 1).')'; -if ($user->societe_id) $sql.= " AND s.rowid = " .$user->societe_id; -if ($search_sale) $sql.= " AND s.rowid = sc.fk_soc"; // Join for the needed table to filter by sale +if ((!$user->rights->societe->client->voir && !$socid) || $search_sale) $sql.= " AND s.rowid = sc.fk_soc"; +if ($socid) $sql.= " AND s.rowid = " .$socid; if (isset($stcomm) && $stcomm != '') $sql.= " AND s.fk_stcomm=".$stcomm; if ($catid > 0) $sql.= " AND cs.fk_categorie = ".$catid; if ($catid == -2) $sql.= " AND cs.fk_categorie IS NULL"; @@ -214,7 +213,6 @@ if ($socname) $sortfield = "s.nom"; $sortorder = "ASC"; } - // Count total nb of records $nbtotalofrecords = 0; if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) @@ -222,10 +220,10 @@ if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) $result = $db->query($sql); $nbtotalofrecords = $db->num_rows($result); } - $sql.= " ORDER BY $sortfield $sortorder, s.nom ASC"; $sql.= $db->plimit($conf->liste_limit+1, $offset); +dol_syslog('comm/propsect/list.php: sql='.$sql,LOG_DEBUG); $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/fourn/liste.php b/htdocs/fourn/liste.php index 16406eeb279..07be6c43fc6 100644 --- a/htdocs/fourn/liste.php +++ b/htdocs/fourn/liste.php @@ -86,7 +86,7 @@ $sql.= ", ".MAIN_DB_PREFIX."c_stcomm as st"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.fk_stcomm = st.id AND s.fournisseur = 1"; $sql.= " AND s.entity IN (".getEntity('societe', 1).")"; -if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; +if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc"; if ($socid) $sql .= " AND s.rowid = ".$socid; if ($socname) { @@ -114,6 +114,7 @@ if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) $sql.= $db->order($sortfield,$sortorder); $sql.= $db->plimit($conf->liste_limit+1, $offset); +dol_syslog('fourn/liste.php: sql='.$sql,LOG_DEBUG); $resql = $db->query($sql); if ($resql) {