Fix: security with multi-company

2009-05-04 08:31:42 +00:00 · 2009-05-04 08:31:42 +00:00 · 825f3346c9
commit 825f3346c9
parent 7eb2cdef3d
21 changed files with 230 additions and 63 deletions
--- a/htdocs/categories/categorie.php
+++ b/htdocs/categories/categorie.php
@ -41,19 +41,20 @@ if ($_REQUEST["socid"])
 	if ($_REQUEST["typeid"] == 2) { $type = 'societe'; $socid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:''; }
 	$objecttype = 'societe';
 	$objectid = isset($_REQUEST["socid"])?$_REQUEST["socid"]:'';
+	$fieldid = 'rowid';
 }
 else if ($_REQUEST["id"] || $_REQUEST["ref"])
 {
 	$type = 'produit';
 	$objecttype = 'produit';
+	$objectid = isset($_REQUEST["id"])?$_REQUEST["id"]:(isset($_REQUEST["ref"])?$_REQUEST["ref"]:'');
 	$dbtablename = 'product';
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }

 // Security check
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, $objecttype, $objectid, $dbtablename);
-
-
+$result = restrictedArea($user,$objecttype,$objectid,$dbtablename,'','',$fieldid);

 /*
 *	Actions
--- a/htdocs/product/barcode.php
+++ b/htdocs/product/barcode.php
@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2001-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
 * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2007 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -33,8 +33,20 @@ require_once(DOL_DOCUMENT_ROOT."/includes/barcode/html.formbarcode.class.php");
 $langs->load("products");
 $langs->load("bills");

-if (!$user->rights->barcode->lire)
-accessforbidden();
+// Security check
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 /*
 * Actions
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@ -36,12 +36,22 @@ require_once(DOL_DOCUMENT_ROOT."/html.formfile.class.php");
 $langs->load("other");
 $langs->load("products");

-// Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
 $action=empty($_GET['action']) ? (empty($_POST['action']) ? '' : $_POST['action']) : $_GET['action'];
-if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');

+// Security check
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 // Get parameters
 $page=$_GET["page"];
--- a/htdocs/product/fiche.php
+++ b/htdocs/product/fiche.php
@ -36,8 +36,6 @@ require_once(DOL_DOCUMENT_ROOT."/facture.class.php");
 require_once(DOL_DOCUMENT_ROOT."/product.class.php");
 require_once(DOL_DOCUMENT_ROOT."/commande/commande.class.php");

-if (!$user->rights->produit->lire) accessforbidden();
-
 $langs->load("bills");
 $langs->load("other");
 $langs->load("stocks");
--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@ -36,9 +36,19 @@ $langs->load("suppliers");
 $langs->load("bills");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/photos.php
+++ b/htdocs/product/photos.php
@ -35,9 +35,19 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/popuprop.php
+++ b/htdocs/product/popuprop.php
@ -28,6 +28,10 @@
 require("./pre.inc.php");
 require_once(DOL_DOCUMENT_ROOT.'/product.class.php');

+// Security check
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit');
+
 $sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
 $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
 $page = $_GET["page"];
@ -46,7 +50,10 @@ $staticproduct=new Product($db);
 llxHeader();

 //On n'affiche le lien page suivante que s'il y a une page suivante ...
-$sql = "select count(*) as c from ".MAIN_DB_PREFIX."product";
+$sql = "SELECT count(*) as c";
+$sql.= " FROM ".MAIN_DB_PREFIX."product";
+$sql.= " WHERE entity = ".$conf->entity;
+
 $result=$db->query($sql);
 if ($result)
 {
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@ -35,9 +35,19 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);


 /*
--- a/htdocs/product/reassort.php
+++ b/htdocs/product/reassort.php
@ -32,8 +32,9 @@ require_once(DOL_DOCUMENT_ROOT."/categories/categorie.class.php");
 $langs->load("products");
 $langs->load("stocks");

-if (!$user->rights->produit->lire)
-accessforbidden();
+// Security check
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit');


 $sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
--- a/htdocs/product/sousproduits/fiche.php
+++ b/htdocs/product/sousproduits/fiche.php
@ -36,9 +36,19 @@ $langs->load("bills");
 $langs->load("products");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/commande.php
+++ b/htdocs/product/stats/commande.php
@ -36,9 +36,19 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/commande_fournisseur.php
+++ b/htdocs/product/stats/commande_fournisseur.php
@ -36,9 +36,19 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/commandestats.class.php
+++ b/htdocs/product/stats/commandestats.class.php
@ -35,7 +35,12 @@ class CommandeStats
  function getNbCommandeByYear()
  {
    $result = array();
-    $sql = "SELECT date_format(date_commande,'%Y') as dm, count(*)  FROM ".MAIN_DB_PREFIX."commande GROUP BY dm DESC WHERE fk_statut > 0";
+    $sql = "SELECT date_format(date_commande,'%Y') as dm, count(*)";
+    $sql.= " FROM ".MAIN_DB_PREFIX."commande";
+    $sql.= " WHERE fk_statut > 0";
+    $sql.= " AND entity = ".$conf->entity;
+    $sql.= " GROUP BY dm DESC";
+
    if ($this->db->query($sql))
      {
 	$num = $this->db->num_rows();
@ -58,9 +63,12 @@ class CommandeStats
  function getNbCommandeByMonth($year)
  {
    $result = array();
-    $sql = "SELECT date_format(date_commande,'%m') as dm, count(*)  FROM ".MAIN_DB_PREFIX."commande";
-    $sql .= " WHERE date_format(date_commande,'%Y') = $year AND fk_statut > 0";
-    $sql .= " GROUP BY dm DESC";
+    $sql = "SELECT date_format(date_commande,'%m') as dm, count(*)";
+    $sql.= " FROM ".MAIN_DB_PREFIX."commande";
+    $sql.= " WHERE date_format(date_commande,'%Y') = ".$year;
+    $sql.= " AND fk_statut > 0";
+    $sql.= " AND entity = ".$conf->entity;
+    $sql.= " GROUP BY dm DESC";

    if ($this->db->query($sql))
      {
@ -90,9 +98,12 @@ class CommandeStats
  function getCommandeAmountByMonth($year)
  {
    $result = array();
-    $sql = "SELECT date_format(date_commande,'%m') as dm, sum(total_ht)  FROM ".MAIN_DB_PREFIX."commande";
-    $sql .= " WHERE date_format(date_commande,'%Y') = $year AND fk_statut > 0";
-    $sql .= " GROUP BY dm DESC";
+    $sql = "SELECT date_format(date_commande,'%m') as dm, sum(total_ht)";
+    $sql.= " FROM ".MAIN_DB_PREFIX."commande";
+    $sql.= " WHERE date_format(date_commande,'%Y') = ".$year;
+    $sql.= " AND fk_statut > 0";
+    $sql.= " AND entity = ".$conf->entity;
+    $sql.= " GROUP BY dm DESC";

    if ($this->db->query($sql))
      {
@ -122,9 +133,12 @@ class CommandeStats
  function getCommandeAverageByMonth($year)
  {
    $result = array();
-    $sql = "SELECT date_format(date_commande,'%m') as dm, avg(total_ht)  FROM ".MAIN_DB_PREFIX."commande";
-    $sql .= " WHERE date_format(date_commande,'%Y') = $year AND fk_statut > 0";
-    $sql .= " GROUP BY dm DESC";
+    $sql = "SELECT date_format(date_commande,'%m') as dm, avg(total_ht)";
+    $sql.= " FROM ".MAIN_DB_PREFIX."commande";
+    $sql.= " WHERE date_format(date_commande,'%Y') = ".$year;
+    $sql.= " AND fk_statut > 0";
+    $sql.= " AND entity = ".$conf->entity;
+    $sql.= " GROUP BY dm DESC";

    if ($this->db->query($sql))
      {
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@ -34,6 +34,21 @@ $langs->load("contracts");
 $langs->load("products");
 $langs->load("companies");

+// Security check
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
+
 $mesg = '';

 $page = $_GET["page"];
@ -46,18 +61,6 @@ $pagenext = $_GET["page"] + 1;
 if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="c.datec";

-// Securite
-$socid = 0;
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socid = $user->societe_id;
-}
-else
-{
-  $socid = 0;
-}
-

 /*
 * View
--- a/htdocs/product/stats/facture.php
+++ b/htdocs/product/stats/facture.php
@ -36,9 +36,19 @@ $langs->load("bills");
 $langs->load("products");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/facture_fournisseur.php
+++ b/htdocs/product/stats/facture_fournisseur.php
@ -37,9 +37,19 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/fiche.php
+++ b/htdocs/product/stats/fiche.php
@ -39,9 +39,19 @@ $langs->load("other");
 $mode=isset($_GET["mode"])?$_GET["mode"]:'byunit';

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stats/index.php
+++ b/htdocs/product/stats/index.php
@ -31,6 +31,9 @@
 require("./pre.inc.php");
 require_once(DOL_DOCUMENT_ROOT."/propal.class.php");

+// Security check
+if ($user->societe_id) $socid=$user->societe_id;
+$result=restrictedArea($user,'produit');

 llxHeader();

--- a/htdocs/product/stats/propal.php
+++ b/htdocs/product/stats/propal.php
@ -35,9 +35,19 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/stock/product.php
+++ b/htdocs/product/stock/product.php
@ -32,16 +32,24 @@ require_once(DOL_DOCUMENT_ROOT."/lib/product.lib.php");
 require_once(DOL_DOCUMENT_ROOT."/product.class.php");
 require_once(DOL_DOCUMENT_ROOT."/html.formproduct.class.php");

-if (! $user->rights->produit->lire || ! $product->type == 0 || ! $conf->stock->enabled)	accessforbidden();
-
 $langs->load("products");
 $langs->load("orders");
 $langs->load("bills");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

 $mesg = '';

--- a/htdocs/product/traduction.php
+++ b/htdocs/product/traduction.php
@ -36,9 +36,19 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = isset($_GET["id"])?$_GET["id"]:'';
+$id = '';
+if (isset($_GET["id"]))
+{
+	$id = $_GET["id"];
+	$fieldid = 'rowid';
+}
+if (isset($_GET["ref"]))
+{
+	$id = $_GET["ref"];
+	$fieldid = 'ref';
+}
 if ($user->societe_id) $socid=$user->societe_id;
-$result=restrictedArea($user,'produit',$id,'product');
+$result=restrictedArea($user,'produit',$id,'product','','',$fieldid);


 /*