From 8a84922e90b43e734a24d0918e61ce4ab6da3dd5 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 11 Mar 2006 16:04:19 +0000 Subject: [PATCH] =?UTF-8?q?am=E9lioration=20de=20la=20s=E9curit=E9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/contact/exportimport.php | 26 ++++++++++++++++++++++++++ htdocs/contact/info.php | 26 ++++++++++++++++++++++++++ htdocs/contact/perso.php | 25 +++++++++++++++++++++++++ 3 files changed, 77 insertions(+) diff --git a/htdocs/contact/exportimport.php b/htdocs/contact/exportimport.php index 88acf2fe13f..9b909394e25 100644 --- a/htdocs/contact/exportimport.php +++ b/htdocs/contact/exportimport.php @@ -31,6 +31,32 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); $langs->load("companies"); +// Protection quand utilisateur externe +$contactid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $socid = $user->societe_id; +} + +// Protection restriction commercial +if ($contactid) +{ + $sql = "SELECT sc.fk_soc, sp.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp"; + $sql .= " WHERE sp.idp = ".$contactid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = sp.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND sp.fk_soc = ".$socid; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} + /* * diff --git a/htdocs/contact/info.php b/htdocs/contact/info.php index ba3e706b33d..af5346db836 100644 --- a/htdocs/contact/info.php +++ b/htdocs/contact/info.php @@ -33,6 +33,32 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); $langs->load("companies"); +// Protection quand utilisateur externe +$contactid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $socid = $user->societe_id; +} + +// Protection restriction commercial +if ($contactid) +{ + $sql = "SELECT sc.fk_soc, sp.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp"; + $sql .= " WHERE sp.idp = ".$contactid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = sp.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND sp.fk_soc = ".$socid; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} + llxHeader(); diff --git a/htdocs/contact/perso.php b/htdocs/contact/perso.php index 536b5acd211..6d5fa074ada 100644 --- a/htdocs/contact/perso.php +++ b/htdocs/contact/perso.php @@ -33,6 +33,31 @@ require_once(DOL_DOCUMENT_ROOT."/lib/vcard/vcard.class.php"); $langs->load("companies"); +// Protection quand utilisateur externe +$contactid = isset($_GET["id"])?$_GET["id"]:''; + +if ($user->societe_id > 0) +{ + $socid = $user->societe_id; +} + +// Protection restriction commercial +if ($contactid) +{ + $sql = "SELECT sc.fk_soc, sp.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."socpeople as sp"; + $sql .= " WHERE sp.idp = ".$contactid; + if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) + { + $sql .= " AND sc.fk_soc = sp.fk_soc AND sc.fk_user = ".$user->id; + } + if ($user->societe_id > 0) $sql .= " AND sp.fk_soc = ".$socid; + + if ( $db->query($sql) ) + { + if ( $db->num_rows() == 0) accessforbidden(); + } +} if ($_POST["action"] == 'update') {