diff --git a/htdocs/comm/propal/contact.php b/htdocs/comm/propal/contact.php index 306b56ddf13..77ffe3bf06c 100644 --- a/htdocs/comm/propal/contact.php +++ b/htdocs/comm/propal/contact.php @@ -37,15 +37,10 @@ $langs->load("orders"); $langs->load("sendings"); $langs->load("companies"); -$user->getrights('propale'); -if (!$user->rights->propale->lire) accessforbidden(); +$propalid = isset($_GET["propalid"])?$_GET["propalid"]:''; -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Sécurité d'accès client et commerciaux +$security = restrictedArea($user, 'propale', $propalid, 'propal'); /* * Ajout d'un nouveau contact diff --git a/htdocs/commande/contact.php b/htdocs/commande/contact.php index 9597cfc7884..8b2c049de81 100644 --- a/htdocs/commande/contact.php +++ b/htdocs/commande/contact.php @@ -37,15 +37,10 @@ $langs->load("orders"); $langs->load("sendings"); $langs->load("companies"); -$user->getrights('commande'); -if (!$user->rights->commande->lire) accessforbidden(); +$commandeid = isset($_GET["id"])?$_GET["id"]:''; -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Sécurité d'accès client et commerciaux +$security = restrictedArea($user, 'commande', $commandeid); /* * Ajout d'un nouveau contact diff --git a/htdocs/compta/facture/contact.php b/htdocs/compta/facture/contact.php index 852b34395d5..496ca7e1f91 100644 --- a/htdocs/compta/facture/contact.php +++ b/htdocs/compta/facture/contact.php @@ -33,19 +33,12 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); require_once(DOL_DOCUMENT_ROOT.'/lib/invoice.lib.php'); $langs->load("facture"); -// $langs->load("orders"); $langs->load("companies"); -$user->getrights('facture'); +$facid = isset($_GET["facid"])?$_GET["facid"]:''; -if (!$user->rights->facture->lire) accessforbidden(); - -// Sécurité accés client -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} +// Sécurité d'accès client et commerciaux +$security = restrictedArea($user, 'facture', $facid); /* * Ajout d'un nouveau contact diff --git a/htdocs/contrat/contact.php b/htdocs/contrat/contact.php index ba24b2b66ef..4654afc73f3 100644 --- a/htdocs/contrat/contact.php +++ b/htdocs/contrat/contact.php @@ -34,39 +34,12 @@ require_once(DOL_DOCUMENT_ROOT."/contact.class.php"); $langs->load("contracts"); -// $langs->load("orders"); $langs->load("companies"); -$user->getrights('contrat'); - -if (!$user->rights->contrat->lire) accessforbidden(); - -// Sécurité accés client et commerciaux $contratid = isset($_GET["id"])?$_GET["id"]:''; -if ($user->societe_id > 0) -{ - $action = ''; - $socid = $user->societe_id; -} - -// Protection restriction commercial -if ($contratid && (!$user->rights->commercial->client->voir || $user->societe_id > 0)) -{ - $sql = "SELECT sc.fk_soc, c.fk_soc"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c"; - $sql .= " WHERE c.rowid = ".$contratid; - if (!$user->rights->commercial->client->voir && !$user->societe_id > 0) - { - $sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id; - } - if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socid; - - if ( $db->query($sql) ) - { - if ( $db->num_rows() == 0) accessforbidden(); - } -} +// Sécurité d'accès client et commerciaux +$security = restrictedArea($user, 'contrat', $contratid); /* * Ajout d'un nouveau contact diff --git a/htdocs/lib/functions.inc.php b/htdocs/lib/functions.inc.php index 28b95899599..2a77df0ae15 100644 --- a/htdocs/lib/functions.inc.php +++ b/htdocs/lib/functions.inc.php @@ -1247,6 +1247,57 @@ function dol_loginfunction($notused,$pearstatus) print "\n\n"; } +/* + * \brief Vérifie les droits de l'utilisateur + * \param user Utilisateur courant + * \param module Module à vérifier + * \param objectid ID du document + * \param dbtable Table de la base correspondant au module (optionnel) + */ + function restrictedArea($user, $modulename, $objectid='' , $dbtablename='') + { + global $db; + + $user->getrights($modulename); + $socid = 0; + + //si dbtable non défini, même nom que le module + if (!$dbtable) $dbtablename = $modulename; + + if (!$user->rights->$modulename->lire) + { + accessforbidden(); + return -1; + } + + if ($user->societe_id > 0) + { + $socid = $user->societe_id; + } + + if ($objectid && (!$user->rights->commercial->client->voir || $socid > 0)) + { + $sql = "SELECT sc.fk_soc, dbt.fk_soc"; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX.$dbtablename." as dbt"; + $sql .= " WHERE dbt.rowid = ".$objectid; + if (!$user->rights->commercial->client->voir && !$socid > 0) + { + $sql .= " AND sc.fk_soc = dbt.fk_soc AND sc.fk_user = ".$user->id; + } + if ($socid > 0) $sql .= " AND dbt.fk_soc = ".$socid; + + if ($db->query($sql)) + { + if ($db->num_rows() == 0) + { + accessforbidden(); + return -2; + } + } + } + return 1; +} + /** \brief Affiche message erreur de type acces interdit et arrete le programme