From 99d5c4ebf334bba94714fbcd88374e6cf2db06ec Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 24 Dec 2022 14:18:58 +0100
Subject: [PATCH] FIX #yogosha13939

---
 htdocs/partnership/admin/setup.php          | 11 +++++------
 htdocs/partnership/admin/website.php        |  4 ++--
 htdocs/partnership/partnership_agenda.php   |  9 ++++++++-
 htdocs/partnership/partnership_card.php     |  4 ++++
 htdocs/partnership/partnership_contact.php  | 12 +++++++++--
 htdocs/partnership/partnership_document.php | 10 ++++++++--
 htdocs/partnership/partnership_list.php     | 22 ++++++++++-----------
 htdocs/partnership/partnership_note.php     | 11 +++++++++++
 8 files changed, 58 insertions(+), 25 deletions(-)

diff --git a/htdocs/partnership/admin/setup.php b/htdocs/partnership/admin/setup.php
index a398a6860b1..3f8ac2adaae 100644
--- a/htdocs/partnership/admin/setup.php
+++ b/htdocs/partnership/admin/setup.php
@@ -31,17 +31,16 @@ require_once '../lib/partnership.lib.php';
 // Translations
 $langs->loadLangs(array("admin", "partnership"));
 
+$action = GETPOST('action', 'aZ09');
+$value 	= GETPOST('value', 'alpha');
+
+$error = 0;
+
 // Security check
 if (!$user->admin) {
 	accessforbidden();
 }
 
-$action = GETPOST('action', 'aZ09');
-$value 	= GETPOST('value', 'alpha');
-
-
-$error = 0;
-
 
 /*
  * Actions
diff --git a/htdocs/partnership/admin/website.php b/htdocs/partnership/admin/website.php
index 717783f68d9..498c7e245aa 100644
--- a/htdocs/partnership/admin/website.php
+++ b/htdocs/partnership/admin/website.php
@@ -37,12 +37,12 @@ $langs->loadLangs(array("admin", "partnership"));
 
 $action = GETPOST('action', 'aZ09');
 
+$error = 0;
+
 if (!$user->admin) {
 	accessforbidden();
 }
 
-$error = 0;
-
 
 /*
  * Actions
diff --git a/htdocs/partnership/partnership_agenda.php b/htdocs/partnership/partnership_agenda.php
index dd886fc70d7..20b3d5a8a2c 100644
--- a/htdocs/partnership/partnership_agenda.php
+++ b/htdocs/partnership/partnership_agenda.php
@@ -84,12 +84,19 @@ if ($id > 0 || !empty($ref)) {
 	$upload_dir = $conf->partnership->multidir_output[$object->entity]."/".$object->id;
 }
 
+$permissiontoread = $user->rights->partnership->read;
+$permissiontoadd = $user->rights->partnership->write; // Used by the include of actions_addupdatedelete.inc.php
+$managedfor = getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
+
 // Security check - Protection if external user
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 //$result = restrictedArea($user, 'partnership', $object->id);
+if (empty($conf->partnership->enabled)) accessforbidden();
+if (empty($permissiontoread)) accessforbidden();
+if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
+if ($object->id > 0 && !($object->fk_soc > 0) && $managedfor == 'thirdparty') accessforbidden();
 
-$permissiontoadd = $user->rights->partnership->write; // Used by the include of actions_addupdatedelete.inc.php
 
 
 /*
diff --git a/htdocs/partnership/partnership_card.php b/htdocs/partnership/partnership_card.php
index de5449b7e80..ae4f44b968c 100644
--- a/htdocs/partnership/partnership_card.php
+++ b/htdocs/partnership/partnership_card.php
@@ -81,6 +81,10 @@ $permissiondellink 		= $user->rights->partnership->write; // Used by the include
 $upload_dir 			= $conf->partnership->multidir_output[isset($object->entity) ? $object->entity : 1];
 $managedfor 			= getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
 
+// Security check - Protection if external user
+//if ($user->socid > 0) accessforbidden();
+//if ($user->socid > 0) $socid = $user->socid;
+//$result = restrictedArea($user, 'partnership', $object->id);
 if (empty($conf->partnership->enabled)) accessforbidden();
 if (empty($permissiontoread)) accessforbidden();
 if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
diff --git a/htdocs/partnership/partnership_contact.php b/htdocs/partnership/partnership_contact.php
index 75d315ae396..270645c0d52 100644
--- a/htdocs/partnership/partnership_contact.php
+++ b/htdocs/partnership/partnership_contact.php
@@ -51,15 +51,23 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 // Load object
 include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once  // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
 
+$permissiontoread = $user->rights->partnership->read;
+$permission = $user->rights->partnership->write;
+$managedfor = getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
+
 // Security check - Protection if external user
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 //$result = restrictedArea($user, 'partnership', $object->id);
+if (empty($conf->partnership->enabled)) accessforbidden();
+if (empty($permissiontoread)) accessforbidden();
+if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
+if ($object->id > 0 && !($object->fk_soc > 0) && $managedfor == 'thirdparty') accessforbidden();
+
 
-$permission = $user->rights->partnership->write;
 
 /*
- * Add a new contact
+ * Actions
  */
 
 if ($action == 'addcontact' && $permission) {
diff --git a/htdocs/partnership/partnership_document.php b/htdocs/partnership/partnership_document.php
index 0b6d0e6bd07..8651590e37a 100644
--- a/htdocs/partnership/partnership_document.php
+++ b/htdocs/partnership/partnership_document.php
@@ -75,12 +75,18 @@ if ($id > 0 || !empty($ref)) {
 	$upload_dir = $conf->partnership->multidir_output[$object->entity ? $object->entity : $conf->entity]."/partnership/".get_exdir(0, 0, 0, 1, $object);
 }
 
+$permissiontoread = $user->rights->partnership->read;
+$permissiontoadd = $user->rights->partnership->write; // Used by the include of actions_addupdatedelete.inc.php
+$managedfor = getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
+
 // Security check - Protection if external user
 //if ($user->socid > 0) accessforbidden();
 //if ($user->socid > 0) $socid = $user->socid;
 //$result = restrictedArea($user, 'partnership', $object->id);
-
-$permissiontoadd = $user->rights->partnership->write; // Used by the include of actions_addupdatedelete.inc.php
+if (empty($conf->partnership->enabled)) accessforbidden();
+if (empty($permissiontoread)) accessforbidden();
+if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
+if ($object->id > 0 && !($object->fk_soc > 0) && $managedfor == 'thirdparty') accessforbidden();
 
 
 
diff --git a/htdocs/partnership/partnership_list.php b/htdocs/partnership/partnership_list.php
index 36a0fd39218..a795d8d33f4 100644
--- a/htdocs/partnership/partnership_list.php
+++ b/htdocs/partnership/partnership_list.php
@@ -85,6 +85,8 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 
 $search_array_options = $extrafields->getOptionalsFromPost($object->table_element, '', 'search_');
 
+$error = 0;
+
 $managedfor	= getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
 
 if ($managedfor != 'member' && $sortfield == 'd.datefin') $sortfield = '';
@@ -149,18 +151,14 @@ $permissiontoread = $user->rights->partnership->read;
 $permissiontoadd = $user->rights->partnership->write;
 $permissiontodelete = $user->rights->partnership->delete;
 
-// Security check
-if (empty($conf->partnership->enabled)) {
-	accessforbidden('Module not enabled');
-}
-if ($user->socid > 0) { // Protection if external user
-	//$socid = $user->socid;
-	accessforbidden();
-}
-//$result = restrictedArea($user, 'partnership');
-//if (!$permissiontoread) accessforbidden();
-
-$error = 0;
+// Security check - Protection if external user
+//if ($user->socid > 0) accessforbidden();
+//if ($user->socid > 0) $socid = $user->socid;
+//$result = restrictedArea($user, 'partnership', $object->id);
+if (empty($conf->partnership->enabled)) accessforbidden();
+if (empty($permissiontoread)) accessforbidden();
+if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
+if ($object->id > 0 && !($object->fk_soc > 0) && $managedfor == 'thirdparty') accessforbidden();
 
 
 /*
diff --git a/htdocs/partnership/partnership_note.php b/htdocs/partnership/partnership_note.php
index a38fdc65ade..b0e16f7f3a5 100644
--- a/htdocs/partnership/partnership_note.php
+++ b/htdocs/partnership/partnership_note.php
@@ -57,14 +57,25 @@ if ($id > 0 || !empty($ref)) {
 	$upload_dir = $conf->partnership->multidir_output[$object->entity]."/".$object->id;
 }
 
+$permissiontoread = $user->rights->partnership->read;
 $permissionnote = $user->rights->partnership->write; // Used by the include of actions_setnotes.inc.php
 $permissiontoadd = $user->rights->partnership->write; // Used by the include of actions_addupdatedelete.inc.php
+$managedfor = getDolGlobalString('PARTNERSHIP_IS_MANAGED_FOR', 'thirdparty');
 
+// Security check - Protection if external user
+//if ($user->socid > 0) accessforbidden();
+//if ($user->socid > 0) $socid = $user->socid;
+//$result = restrictedArea($user, 'partnership', $object->id);
+if (empty($conf->partnership->enabled)) accessforbidden();
+if (empty($permissiontoread)) accessforbidden();
+if ($object->id > 0 && !($object->fk_member > 0) && $managedfor == 'member') accessforbidden();
+if ($object->id > 0 && !($object->fk_soc > 0) && $managedfor == 'thirdparty') accessforbidden();
 
 
 /*
  * Actions
  */
+
 $reshook = $hookmanager->executeHooks('doActions', array(), $object, $action); // Note that $action and $object may have been modified by some hooks
 if ($reshook < 0) {
 	setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');