lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX missing access security checking with multicompany

Browse Source
This commit is contained in:
Regis Houssin 2019-02-14 10:12:15 +01:00
parent 53a8f1cd3b
commit aa4c5ae839
4 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/lib/security.lib.php
View File

@ -451,12 +451,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh
if ($feature == 'project') $feature='projet';
if ($feature == 'task') $feature='projet_task';
$check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','categorie','resource'); // Test on entity only (Objects with no link to company)
$check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','stock','categorie','resource'); // Test on entity only (Objects with no link to company)
$checksoc = array('societe'); // Test for societe object
$checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...).
$checkproject = array('projet','project'); // Test for project object
$checktask = array('projet_task');
$nocheck = array('barcode','stock'); // No test
$nocheck = array('barcode'); // No test
$checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...).
// If dbtablename not defined, we use same name for table than module name

2
htdocs/product/stock/card.php
View File

@ -52,7 +52,7 @@ if (! $sortorder) $sortorder="DESC";
$backtopage=GETPOST('backtopage','alpha');
// Security check
$result=restrictedArea($user,'stock');
$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('warehousecard','globalcard'));

2
htdocs/product/stock/info.php
View File

@ -33,7 +33,7 @@ $id = GETPOST('id','int');
$ref = GETPOST('ref','alpha');
// Security check
$result=restrictedArea($user,'stock');
$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
/*

6
htdocs/product/stock/mouvement.php
View File

@ -46,9 +46,6 @@ if (! empty($conf->projet->enabled))
$langs->loadLangs(array('products', 'stocks'));
if (! empty($conf->productbatch->enabled)) $langs->load("productbatch");
// Security check
$result=restrictedArea($user,'stock');
$id=GETPOST('id','int');
$ref = GETPOST('ref','alpha');
$msid=GETPOST('msid','int');
@ -57,6 +54,9 @@ $action=GETPOST('action','aZ09');
$cancel=GETPOST('cancel','alpha');
$contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'movementlist';
// Security check
$result=restrictedArea($user,'stock', $id, 'entrepot&stock');
$idproduct = GETPOST('idproduct','int');
$year = GETPOST("year");
$month = GETPOST("month");