From 9352e6d5c729bfe476836a65dc103d9ebf0a33b6 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 10 Mar 2006 17:13:31 +0000 Subject: [PATCH] =?UTF-8?q?am=E9lioration=20de=20la=20s=E9curit=E9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- htdocs/projet/facture.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/htdocs/projet/facture.php b/htdocs/projet/facture.php index 56e374e2747..5a96a1c6c68 100644 --- a/htdocs/projet/facture.php +++ b/htdocs/projet/facture.php @@ -49,18 +49,19 @@ if ($_GET["id"]) { $projetid=$_GET["id"]; } if ($projetid == '') accessforbidden(); - if ($user->societe_id > 0) { $socidp = $user->societe_id; } // Protection restriction commercial -if (!$user->rights->commercial->client->voir && $projetid && !$user->societe_id > 0) +if ($projetid) { $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p"; - $sql .= " WHERE p.rowid = ".$projetid." AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id; + $sql .= " WHERE p.rowid = ".$projetid; + if (!$user->rights->commercial->client->voir) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id; + if ($socidp) $sql .= " AND p.fk_soc = ".$socidp; if ( $db->query($sql) ) {