am�lioration de la s�curit�

2006-03-10 10:19:56 +00:00 · 2006-03-10 10:19:56 +00:00 · 83051a8c7c
commit 83051a8c7c
parent f501321470
2 changed files with 19 additions and 2 deletions
--- a/htdocs/fourn/fiche.php
+++ b/htdocs/fourn/fiche.php
@ -36,7 +36,7 @@ $langs->load('bills');
 $langs->load('orders');
 $langs->load('companies');

-$socidp = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';

 if ($socid == '') accessforbidden();

--- a/htdocs/soc.php
+++ b/htdocs/soc.php
@ -44,12 +44,29 @@ if (! $user->rights->societe->creer)
    }
 }

+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+
+if ($socid == '') accessforbidden();
+
 // Sécurité accés client
 if ($user->societe_id > 0) 
 {
  $_GET["action"] = '';
  $_POST["action"] = '';
-  $_GET["socid"] = $user->societe_id;
+  $socid = $user->societe_id;
+}
+
+// Protection restriction commercial
+if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
+{
+        $sql = "SELECT sc.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
+        $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
 }

 $soc = new Societe($db);