Secu: Restriction sur soci�t�

2005-09-26 22:47:07 +00:00 · 2005-09-26 22:47:07 +00:00 · 89dcb73b3f
commit 89dcb73b3f
parent 9d857ade46
3 changed files with 112 additions and 98 deletions
--- a/htdocs/comm/index.php
+++ b/htdocs/comm/index.php
@ -38,10 +38,12 @@ if ($conf->contrat->enabled)
 $langs->load("commercial");
 $langs->load("orders");

-// Securité accès client
+// Sécurité accés client
 $socidp='';
-if ($user->societe_id > 0)
+if ($_GET["socidp"]) { $socidp=$_GET["socidp"]; }
+if ($user->societe_id > 0) 
 {
+  $action = '';
  $socidp = $user->societe_id;
 }

@ -126,40 +128,41 @@ if ($conf->contrat->enabled)
 */
 if ($conf->propal->enabled && $user->rights->propale->lire)
 {
-  $sql = "SELECT p.rowid, p.ref, p.price, s.idp, s.nom";
-  $sql .= " FROM ".MAIN_DB_PREFIX."propal as p, ".MAIN_DB_PREFIX."societe as s";
-  $sql .= " WHERE p.fk_statut = 0 and p.fk_soc = s.idp";
-  
-  $resql=$db->query($sql);
-  if ($resql)
+    $sql = "SELECT p.rowid, p.ref, p.price, s.idp, s.nom";
+    $sql.= " FROM ".MAIN_DB_PREFIX."propal as p, ".MAIN_DB_PREFIX."societe as s";
+    $sql.= " WHERE p.fk_statut = 0 and p.fk_soc = s.idp";
+    $sql.= " AND s.idp = ".$socidp;
+    
+    $resql=$db->query($sql);
+    if ($resql)
    {
-      $total = 0;
-      $num = $db->num_rows($resql);
-      if ($num > 0)
+        $total = 0;
+        $num = $db->num_rows($resql);
+        if ($num > 0)
        {
-	  print '<table class="noborder" width="100%">';
-	  print "<tr class=\"liste_titre\">";
-	  print "<td colspan=\"3\">".$langs->trans("ProposalsDraft")."</td></tr>";
-	  
-	  $i = 0;
-	  $var=true;
-	  while ($i < $num)
+            print '<table class="noborder" width="100%">';
+            print "<tr class=\"liste_titre\">";
+            print "<td colspan=\"3\">".$langs->trans("ProposalsDraft")."</td></tr>";
+
+            $i = 0;
+            $var=true;
+            while ($i < $num)
            {
-	      $obj = $db->fetch_object($resql);
-	      $var=!$var;
-	      print '<tr '.$bc[$var].'><td nowrap>'."<a href=\"".DOL_URL_ROOT."/comm/propal.php?propalid=".$obj->rowid."\">".img_object($langs->trans("ShowPropal"),"propal")." ".$obj->ref.'</a></td>';
-	      print '<td><a href="fiche.php?socid='.$obj->idp.'">'.dolibarr_trunc($obj->nom,18).'</a></td><td align="right">'.price($obj->price).'</td></tr>';
-	      $i++;
-	      $total += $obj->price;
+                $obj = $db->fetch_object($resql);
+                $var=!$var;
+                print '<tr '.$bc[$var].'><td nowrap>'."<a href=\"".DOL_URL_ROOT."/comm/propal.php?propalid=".$obj->rowid."\">".img_object($langs->trans("ShowPropal"),"propal")." ".$obj->ref.'</a></td>';
+                print '<td><a href="fiche.php?socid='.$obj->idp.'">'.dolibarr_trunc($obj->nom,18).'</a></td><td align="right">'.price($obj->price).'</td></tr>';
+                $i++;
+                $total += $obj->price;
            }
-	  if ($total>0)
-	    {
-	      $var=!$var;
-	      print '<tr class="liste_total"><td>'.$langs->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>";
-	    }
-	  print "</table><br>";
+            if ($total>0)
+            {
+                $var=!$var;
+                print '<tr class="liste_total"><td>'.$langs->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>";
+            }
+            print "</table><br>";
        }
-      $db->free($resql);
+        $db->free($resql);
    }
 }

--- a/htdocs/commande/index.php
+++ b/htdocs/commande/index.php
@ -33,6 +33,17 @@ if (!$user->rights->commande->lire) accessforbidden();

 $langs->load("orders");

+// Sécurité accés client
+$socidp='';
+if ($_GET["socidp"]) { $socidp=$_GET["socidp"]; }
+if ($user->societe_id > 0) 
+{
+  $action = '';
+  $socidp = $user->societe_id;
+}
+
+
+
 llxHeader("",$langs->trans("Orders"),"Commande");

 print_fiche_titre($langs->trans("OrdersArea"));
@ -60,10 +71,7 @@ print "</form></table><br>\n";
 */
 $sql = "SELECT c.rowid, c.ref, s.nom, s.idp FROM ".MAIN_DB_PREFIX."commande as c, ".MAIN_DB_PREFIX."societe as s";
 $sql .= " WHERE c.fk_soc = s.idp AND c.fk_statut = 0";
-if ($socidp)
-{
-  $sql .= " AND c.fk_soc = $socidp";
-}
+if ($socidp) $sql .= " AND c.fk_soc = ".$socidp;

 if ( $db->query($sql) )
 {
@ -93,28 +101,31 @@ if ( $db->query($sql) )
 */
 $sql = "SELECT c.rowid, c.ref, s.nom, s.idp FROM ".MAIN_DB_PREFIX."commande as c, ".MAIN_DB_PREFIX."societe as s";
 $sql .= " WHERE c.fk_soc = s.idp AND c.fk_statut = 1";
+if ($socidp) $sql .= " AND c.fk_soc = ".$socidp;
 $sql .= " ORDER BY c.rowid DESC";

 if ( $db->query($sql) )
 {
-  $num = $db->num_rows();
-  if ($num)
+    print '<table class="noborder" width="100%">';
+    print '<tr class="liste_titre">';
+    print '<td colspan="2">'.$langs->trans("OrdersToProcess").'</td></tr>';
+
+    $num = $db->num_rows();
+    if ($num)
    {
-      $i = 0;
-      print '<table class="noborder" width="100%">';
-      print '<tr class="liste_titre">';
-      print '<td colspan="2">'.$langs->trans("OrdersToProcess").'</td></tr>';
-      $var = True;
-      while ($i < $num)
-	{
-	  $var=!$var;
-	  $obj = $db->fetch_object();
-	  print "<tr $bc[$var]><td nowrap><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrder"),"order")." ".$obj->ref."</a></td>";
-	  print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.'</a></td></tr>';
-	  $i++;
-	}
-      print "</table><br>";
+        $i = 0;
+        $var = True;
+        while ($i < $num)
+        {
+            $var=!$var;
+            $obj = $db->fetch_object();
+            print "<tr $bc[$var]><td nowrap><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrder"),"order")." ".$obj->ref."</a></td>";
+            print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.'</a></td></tr>';
+            $i++;
+        }
    }
+
+    print "</table><br>";
 }


@ -126,32 +137,31 @@ print '</td><td valign="top" width="70%" class="notopnoleftnoright">';
 */
 $sql = "SELECT c.rowid, c.ref, s.nom, s.idp FROM ".MAIN_DB_PREFIX."commande as c, ".MAIN_DB_PREFIX."societe as s";
 $sql .= " WHERE c.fk_soc = s.idp AND c.fk_statut = 2 ";
-if ($socidp)
-{
-  $sql .= " AND c.fk_soc = $socidp";
-}
+if ($socidp) $sql .= " AND c.fk_soc = ".$socidp;
 $sql .= " ORDER BY c.rowid DESC";
+
 if ( $db->query($sql) )
 {
-  $num = $db->num_rows();
-  if ($num)
+    print '<table class="noborder" width="100%">';
+    print '<tr class="liste_titre">';
+    print '<td colspan="2">'.$langs->trans("OnProcessOrders").' ('.$num.')</td></tr>';
+
+    $num = $db->num_rows();
+    if ($num)
    {
-      $i = 0;
-      print '<table class="noborder" width="100%">';
-      print '<tr class="liste_titre">';
-      print '<td colspan="2">'.$langs->trans("OnProcessOrders").' ('.$num.')</td></tr>';
-      $var = True;
-      while ($i < $num)
-	{
-	  $var=!$var;
-	  $obj = $db->fetch_object();
-	  print "<tr $bc[$var]><td width=\"30%\"><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrder"),"order").' ';
-	  print $obj->ref.'</a></td>';
-	  print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.$obj->nom.'</a></td></tr>';
-	  $i++;
-	}
-      print "</table><br>";
+        $i = 0;
+        $var = True;
+        while ($i < $num)
+        {
+            $var=!$var;
+            $obj = $db->fetch_object();
+            print "<tr $bc[$var]><td width=\"30%\"><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrder"),"order").' ';
+            print $obj->ref.'</a></td>';
+            print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.$obj->nom.'</a></td></tr>';
+            $i++;
+        }
    }
+    print "</table><br>";
 }

 /*
@ -163,34 +173,35 @@ $sql = "SELECT c.rowid, c.ref, s.nom, s.idp,";
 $sql.= " ".$db->pdate("date_cloture")." as datec";
 $sql.= " FROM ".MAIN_DB_PREFIX."commande as c, ".MAIN_DB_PREFIX."societe as s";
 $sql.= " WHERE c.fk_soc = s.idp and c.fk_statut > 2";
-if ($socidp) $sql .= " AND c.fk_soc = $socidp";
+if ($socidp) $sql .= " AND c.fk_soc = ".$socidp;
 $sql.= " ORDER BY c.tms DESC";
 $sql.= $db->plimit($max, 0);

 $resql=$db->query($sql);
 if ($resql)
 {
-  $num = $db->num_rows($resql);
-  if ($num)
+    print '<table class="noborder" width="100%">';
+    print '<tr class="liste_titre">';
+    print '<td colspan="3">'.$langs->trans("LastClosedOrders",$max).'</td></tr>';
+
+    $num = $db->num_rows($resql);
+    if ($num)
    {
-      $i = 0;
-      print '<table class="noborder" width="100%">';
-      print '<tr class="liste_titre">';
-      print '<td colspan="3">'.$langs->trans("LastClosedOrders",$max).'</td></tr>';
-      $var = True;
-      while ($i < $num)
-	{
-	  $var=!$var;
-	  $obj = $db->fetch_object($resql);
-	  print "<tr $bc[$var]><td><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrders"),"order").' ';
-	  print $obj->ref.'</a></td>';
-	  print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.'</a></td>';
-	  print '<td>'.dolibarr_print_date($obj->datec).'</td>';
-	  print '</tr>';
-	  $i++;
-	}
-      print "</table><br>";
+        $i = 0;
+        $var = True;
+        while ($i < $num)
+        {
+            $var=!$var;
+            $obj = $db->fetch_object($resql);
+            print "<tr $bc[$var]><td><a href=\"fiche.php?id=$obj->rowid\">".img_object($langs->trans("ShowOrders"),"order").' ';
+            print $obj->ref.'</a></td>';
+            print '<td><a href="'.DOL_URL_ROOT.'/comm/fiche.php?socid='.$obj->idp.'">'.img_object($langs->trans("ShowCompany"),"company").' '.$obj->nom.'</a></td>';
+            print '<td>'.dolibarr_print_date($obj->datec).'</td>';
+            print '</tr>';
+            $i++;
+        }
    }
+    print "</table><br>";
 }


--- a/htdocs/contrat/index.php
+++ b/htdocs/contrat/index.php
@ -41,14 +41,14 @@ $sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
 $page = isset($_GET["page"])?$_GET["page"]:$_POST["page"];

 $statut=isset($_GET["statut"])?$_GET["statut"]:1;
-$socid=$_GET["socid"];
-

 // Sécurité accés client
+$socidp='';
+if ($_GET["socidp"]) { $socidp=$_GET["socidp"]; }
 if ($user->societe_id > 0) 
 {
  $action = '';
-  $socid = $user->societe_id;
+  $socidp = $user->societe_id;
 }

 print_fiche_titre($langs->trans("ContractsArea"));
@ -102,7 +102,7 @@ $sql.= " c.rowid as cid, c.datec, c.statut, s.nom, s.idp as sidp";
 $sql.= " FROM ".MAIN_DB_PREFIX."contrat as c, ".MAIN_DB_PREFIX."societe as s";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat";
 $sql.= " WHERE c.fk_soc = s.idp ";
-if ($socid > 0) $sql .= " AND s.idp = $socid";
+if ($socidp > 0) $sql .= " AND s.idp = ".$socidp;
 $sql.= " GROUP BY c.rowid, c.datec, c.statut, s.nom, s.idp";
 $sql.= " ORDER BY c.datec DESC";
 $sql.= " LIMIT $max";
@ -163,7 +163,7 @@ $sql = "SELECT cd.rowid as cid, cd.statut, cd.label, cd.description as note, cd.
 $sql.= " FROM ".MAIN_DB_PREFIX."contratdet as cd, ".MAIN_DB_PREFIX."contrat as c, ".MAIN_DB_PREFIX."societe as s";
 $sql.= " WHERE c.statut=1 AND cd.statut = 0";
 $sql.= " AND cd.fk_contrat = c.rowid AND c.fk_soc = s.idp";
-if ($user->societe_id > 0) $sql.= " AND s.idp = ".$user->societe_id;
+if ($socidp > 0) $sql.= " AND s.idp = ".$socidp;
 $sql.= " ORDER BY cd.tms DESC";

 if ( $db->query($sql) )
@ -210,7 +210,7 @@ $max=5;
 $sql = "SELECT cd.rowid as cid, cd.statut, cd.label, cd.description as note, cd.fk_contrat, c.fk_soc, s.nom";
 $sql.= " FROM ".MAIN_DB_PREFIX."contratdet as cd, ".MAIN_DB_PREFIX."contrat as c, ".MAIN_DB_PREFIX."societe as s";
 $sql.= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.idp";
-if ($user->societe_id > 0) $sql.= " AND s.idp = ".$user->societe_id;
+if ($socidp > 0) $sql.= " AND s.idp = ".$socidp;
 $sql.= " ORDER BY cd.tms DESC";

 if ( $db->query($sql) )