From aa4c5ae839ff60961e47fb463febfb9e26c24121 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 14 Feb 2019 10:12:15 +0100 Subject: [PATCH] FIX missing access security checking with multicompany --- htdocs/core/lib/security.lib.php | 4 ++-- htdocs/product/stock/card.php | 2 +- htdocs/product/stock/info.php | 2 +- htdocs/product/stock/mouvement.php | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index d12ee339909..65a4a5bdc93 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -451,12 +451,12 @@ function checkUserAccessToObject($user, $featuresarray, $objectid=0, $tableandsh if ($feature == 'project') $feature='projet'; if ($feature == 'task') $feature='projet_task'; - $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','categorie','resource'); // Test on entity only (Objects with no link to company) + $check = array('adherent','banque','don','user','usergroup','product','produit','service','produit|service','stock','categorie','resource'); // Test on entity only (Objects with no link to company) $checksoc = array('societe'); // Test for societe object $checkother = array('contact','agenda'); // Test on entity and link to third party. Allowed if link is empty (Ex: contacts...). $checkproject = array('projet','project'); // Test for project object $checktask = array('projet_task'); - $nocheck = array('barcode','stock'); // No test + $nocheck = array('barcode'); // No test $checkdefault = 'all other not already defined'; // Test on entity and link to third party. Not allowed if link is empty (Ex: invoice, orders...). // If dbtablename not defined, we use same name for table than module name diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 41e70a6fbf9..01529d33f35 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -52,7 +52,7 @@ if (! $sortorder) $sortorder="DESC"; $backtopage=GETPOST('backtopage','alpha'); // Security check -$result=restrictedArea($user,'stock'); +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('warehousecard','globalcard')); diff --git a/htdocs/product/stock/info.php b/htdocs/product/stock/info.php index 4653a56495d..c8897412e04 100644 --- a/htdocs/product/stock/info.php +++ b/htdocs/product/stock/info.php @@ -33,7 +33,7 @@ $id = GETPOST('id','int'); $ref = GETPOST('ref','alpha'); // Security check -$result=restrictedArea($user,'stock'); +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); /* diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php index 410396a152b..21aa103fafb 100644 --- a/htdocs/product/stock/mouvement.php +++ b/htdocs/product/stock/mouvement.php @@ -46,9 +46,6 @@ if (! empty($conf->projet->enabled)) $langs->loadLangs(array('products', 'stocks')); if (! empty($conf->productbatch->enabled)) $langs->load("productbatch"); -// Security check -$result=restrictedArea($user,'stock'); - $id=GETPOST('id','int'); $ref = GETPOST('ref','alpha'); $msid=GETPOST('msid','int'); @@ -57,6 +54,9 @@ $action=GETPOST('action','aZ09'); $cancel=GETPOST('cancel','alpha'); $contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'movementlist'; +// Security check +$result=restrictedArea($user,'stock', $id, 'entrepot&stock'); + $idproduct = GETPOST('idproduct','int'); $year = GETPOST("year"); $month = GETPOST("month");