From 83051a8c7cbe0cb4b2322087eda523454ebcf2a2 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 10 Mar 2006 10:19:56 +0000
Subject: [PATCH] =?UTF-8?q?am=E9lioration=20de=20la=20s=E9curit=E9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/fourn/fiche.php |  2 +-
 htdocs/soc.php         | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/htdocs/fourn/fiche.php b/htdocs/fourn/fiche.php
index d925cd2ca56..2e0e1f22776 100644
--- a/htdocs/fourn/fiche.php
+++ b/htdocs/fourn/fiche.php
@@ -36,7 +36,7 @@ $langs->load('bills');
 $langs->load('orders');
 $langs->load('companies');
 
-$socidp = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
 
 if ($socid == '') accessforbidden();
 
diff --git a/htdocs/soc.php b/htdocs/soc.php
index 3dd722e6b22..a65d105512d 100644
--- a/htdocs/soc.php
+++ b/htdocs/soc.php
@@ -44,12 +44,29 @@ if (! $user->rights->societe->creer)
     }
 }
 
+$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+
+if ($socid == '') accessforbidden();
+
 // Sécurité accés client
 if ($user->societe_id > 0) 
 {
   $_GET["action"] = '';
   $_POST["action"] = '';
-  $_GET["socid"] = $user->societe_id;
+  $socid = $user->societe_id;
+}
+
+// Protection restriction commercial
+if (!$user->rights->commercial->client->voir && $socid && !$user->societe_id > 0)
+{
+        $sql = "SELECT sc.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
+        $sql .= " WHERE fk_soc = ".$socid." AND fk_user = ".$user->id;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
 }
 
 $soc = new Societe($db);