Fix: Bugs into permissions for module category

2014-01-07 14:55:03 +01:00 · 2014-01-07 14:55:03 +01:00 · 89c772459f
commit 89c772459f
parent 555170e573
4 changed files with 7 additions and 5 deletions
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@ -528,13 +528,13 @@ class Categorie
 	}

 	/**
-	 * 	Return list of contents of a category
+	 * 	Return list of id of elements having this category
 	 *
 	 * 	@param	string	$field				Field name for select in table. Full field name will be fk_field.
 	 * 	@param	string	$classname			PHP Class of object to store entity
 	 * 	@param	string	$category_table		Table name for select in table. Full table name will be PREFIX_categorie_table.
 	 *	@param	string	$object_table		Table name for select in table. Full table name will be PREFIX_table.
-	 *	@return	void
+	 *	@return	mixed						-1 if KO, array of instance of object if OK
 	 */
 	function get_type($field,$classname,$category_table='',$object_table='')
 	{
--- a/htdocs/categories/viewcat.php
+++ b/htdocs/categories/viewcat.php
@ -365,6 +365,8 @@ if($object->type == 2)
 			$var=true;
 			foreach ($socs as $key => $soc)
 			{
+				if ($user->societe_id > 0 && $soc->id != $user->societe_id)	continue; 	// External user always see only themself
+
 				$i++;
 				$var=!$var;
 				print "\t<tr ".$bc[$var].">\n";
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@ -403,7 +403,7 @@ class Conf
 		$this->maxfilesize = (empty($this->global->MAIN_UPLOAD_DOC) ? 0 : $this->global->MAIN_UPLOAD_DOC * 1024);

 		// Define list of limited modules
-		if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='user,facture,commande,fournisseur,contact,propal,projet,contrat,societe,ficheinter,expedition,agenda';	// '' means 'all'. Note that contact is added here as it should be a module later.
+		if (! isset($this->global->MAIN_MODULES_FOR_EXTERNAL)) $this->global->MAIN_MODULES_FOR_EXTERNAL='user,facture,categorie,commande,fournisseur,contact,propal,projet,contrat,societe,ficheinter,expedition,agenda';	// '' means 'all'. Note that contact is added here as it should be a module later.

 		// Timeouts
        if (empty($this->global->MAIN_USE_CONNECT_TIMEOUT)) $this->global->MAIN_USE_CONNECT_TIMEOUT=10;
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@ -341,7 +341,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
                    $sql.= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
                }
            }
-            else if (in_array($feature,$checksoc))
+            else if (in_array($feature,$checksoc))	// We check feature = checksoc
            {
                // If external user: Check permission for external users
                if ($user->societe_id > 0)
@ -450,7 +450,7 @@ function restrictedArea($user, $features, $objectid=0, $dbtablename='', $feature
                }
            }

-            //print $sql."<br>";
+            //print "sql=".$sql."<br>";
            if ($sql)
            {
                $resql=$db->query($sql);