Fix: security with multi-company

2009-05-04 08:42:29 +00:00 · 2009-05-04 08:42:29 +00:00 · 8b02eb1f3f
commit 8b02eb1f3f
parent 825f3346c9
16 changed files with 64 additions and 144 deletions
--- a/htdocs/product/barcode.php
+++ b/htdocs/product/barcode.php
@ -34,17 +34,12 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@ -39,17 +39,12 @@ $langs->load("products");
 $action=empty($_GET['action']) ? (empty($_POST['action']) ? '' : $_POST['action']) : $_GET['action'];

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/fiche.php
+++ b/htdocs/product/fiche.php
@ -41,17 +41,12 @@ $langs->load("other");
 $langs->load("stocks");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@ -36,17 +36,12 @@ $langs->load("suppliers");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/photos.php
+++ b/htdocs/product/photos.php
@ -35,17 +35,12 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@ -35,17 +35,12 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/sousproduits/fiche.php
+++ b/htdocs/product/sousproduits/fiche.php
@ -36,17 +36,12 @@ $langs->load("bills");
 $langs->load("products");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/commande.php
+++ b/htdocs/product/stats/commande.php
@ -36,17 +36,12 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/commande_fournisseur.php
+++ b/htdocs/product/stats/commande_fournisseur.php
@ -36,17 +36,12 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@ -35,17 +35,12 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/facture.php
+++ b/htdocs/product/stats/facture.php
@ -36,17 +36,12 @@ $langs->load("bills");
 $langs->load("products");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/facture_fournisseur.php
+++ b/htdocs/product/stats/facture_fournisseur.php
@ -37,17 +37,12 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/fiche.php
+++ b/htdocs/product/stats/fiche.php
@ -39,17 +39,12 @@ $langs->load("other");
 $mode=isset($_GET["mode"])?$_GET["mode"]:'byunit';

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stats/propal.php
+++ b/htdocs/product/stats/propal.php
@ -35,17 +35,12 @@ $langs->load("products");
 $langs->load("companies");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/stock/product.php
+++ b/htdocs/product/stock/product.php
@ -37,17 +37,12 @@ $langs->load("orders");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);

--- a/htdocs/product/traduction.php
+++ b/htdocs/product/traduction.php
@ -36,17 +36,12 @@ $langs->load("products");
 $langs->load("bills");

 // Security check
-$id = '';
-if (isset($_GET["id"]))
+if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
-	$id = $_GET["id"];
-	$fieldid = 'rowid';
-}
-if (isset($_GET["ref"]))
-{
-	$id = $_GET["ref"];
-	$fieldid = 'ref';
+	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
+	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
 }
+
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);