Fix bug huntr.dev

2021-10-25 15:32:10 +02:00 · 2021-10-25 15:32:10 +02:00 · ad2e567571
commit ad2e567571
parent d916fe121a
42 changed files with 151 additions and 73 deletions
--- a/htdocs/compta/bank/account_statement_document.php
+++ b/htdocs/compta/bank/account_statement_document.php
@ -120,6 +120,8 @@ if (GETPOST("rel") == 'prev') {
 	$found = true;
 }

+$permissiontoadd = $user->rights->banque->modifier;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/compta/bank/document.php
+++ b/htdocs/compta/bank/document.php
@ -74,6 +74,8 @@ if ($id > 0 || !empty($ref)) {

 $result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', '');

+$permissiontoadd = $user->rights->banque->modifier;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/compta/bank/various_payment/document.php
+++ b/htdocs/compta/bank/various_payment/document.php
@ -69,6 +69,9 @@ $object->fetch($id, $ref);
 $upload_dir = $conf->bank->dir_output.'/'.dol_sanitizeFileName($object->id);
 $modulepart = 'banque';

+$permissiontoadd = $user->rights->banque->modifier;	// Used by the include of actions_dellink.inc.php
+
+

 /*
 * Actions
--- a/htdocs/compta/deplacement/document.php
+++ b/htdocs/compta/deplacement/document.php
@ -42,12 +42,6 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');

-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'deplacement', $id, '');
-

 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
@ -74,6 +68,14 @@ $object->fetch($id, $ref);
 $upload_dir = $conf->deplacement->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'trip';

+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'deplacement', $id, '');
+
+$permissiontoadd = $user->rights->deplacement->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/compta/sociales/document.php
+++ b/htdocs/compta/sociales/document.php
@ -78,6 +78,8 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'tax', $object->id, 'chargesociales', 'charges');

+$permissiontoadd = $user->rights->tax->charges->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/compta/tva/document.php
+++ b/htdocs/compta/tva/document.php
@ -79,6 +79,8 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'tax', '', 'tva', 'charges');

+$permissiontoadd = $user->rights->tax->charges->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
@ -86,7 +88,7 @@ $result = restrictedArea($user, 'tax', '', 'tva', 'charges');

 include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';

-if ($action == 'setlib' && $user->rights->tax->charges->creer) {
+if ($action == 'setlib' && $permissiontoadd) {
 	$object->fetch($id);
 	$result = $object->setValueFrom('label', GETPOST('lib', 'alpha'), '', '', 'text', '', $user, 'TAX_MODIFY');
 	if ($result < 0) {
--- a/htdocs/contact/document.php
+++ b/htdocs/contact/document.php
@ -49,12 +49,6 @@ if (!empty($canvas)) {
 	$objcanvas->getCanvas('contact', 'contactcard', $canvas);
 }

-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST("sortfield", 'alpha');
@ -91,6 +85,15 @@ $modulepart = 'contact';
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('contactdocument'));

+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission
+
+$permissiontoadd = $user->rights->societe->contact->creer;	// Used by the include of actions_dellink.inc.php
+
+
 /*
 * Actions
 */
--- a/htdocs/contrat/document.php
+++ b/htdocs/contrat/document.php
@ -84,6 +84,8 @@ $modulepart = 'contract';
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('contractcard', 'globalcard'));

+$permissiontoadd = $user->rights->contrat->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/don/document.php
+++ b/htdocs/don/document.php
@ -80,6 +80,8 @@ $object->fetch($id, $ref);
 $upload_dir = $conf->don->dir_output.'/'.get_exdir($filename, 0, 0, 0, $object, 'donation').'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'don';

+$permissiontoadd = $user->rights->don->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/expedition/card.php
+++ b/htdocs/expedition/card.php
@ -122,7 +122,7 @@ if ($user->socid) {
 $result = restrictedArea($user, 'expedition', $object->id, '');

 $permissiondellink = $user->rights->expedition->delivery->creer; // Used by the include of actions_dellink.inc.php
-//var_dump($object->lines[0]->detail_batch);
+$permissiontoadd = $user->rights->expedition->creer;


 /*
@ -152,7 +152,6 @@ if (empty($reshook)) {

 	// Actions to build doc
 	$upload_dir = $conf->expedition->dir_output.'/sending';
-	$permissiontoadd = $user->rights->expedition->creer;
 	include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';

 	// Reopen
--- a/htdocs/expedition/document.php
+++ b/htdocs/expedition/document.php
@ -76,6 +76,8 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'expedition', $object->id, '');

+$permissiontoadd = $user->rights->expedition->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/expensereport/card.php
+++ b/htdocs/expensereport/card.php
@ -139,6 +139,8 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'expensereport', $object->id, 'expensereport');

+$permissiontoadd = $user->rights->expensereport->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
@ -1339,7 +1341,6 @@ if (empty($reshook)) {

 	// Actions to build doc
 	$upload_dir = $conf->expensereport->dir_output;
-	$permissiontoadd = $user->rights->expensereport->creer;
 	include DOL_DOCUMENT_ROOT.'/core/actions_builddoc.inc.php';
 }

--- a/htdocs/expensereport/document.php
+++ b/htdocs/expensereport/document.php
@ -44,13 +44,6 @@ $confirm = GETPOST('confirm', 'alpha');

 $childids = $user->getAllChildIds(1);

-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'expensereport', $id, 'expensereport');
-
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma');
@ -81,6 +74,12 @@ $modulepart = 'trip';
 // Load object
 //include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php';  // Must be include, not include_once  // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals

+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'expensereport', $id, 'expensereport');
+
 if ($object->id > 0) {
 	// Check current user can read this expense report
 	$canread = 0;
@ -95,6 +94,8 @@ if ($object->id > 0) {
 	}
 }

+$permissiontoadd = $user->rights->expensereport->creer;	// Used by the include of actions_dellink.inc.php
+

 /*
 * Actions
--- a/htdocs/fichinter/card.php
+++ b/htdocs/fichinter/card.php
@ -71,12 +71,6 @@ $hidedetails = (GETPOST('hidedetails', 'int') ? GETPOST('hidedetails', 'int') :
 $hidedesc = (GETPOST('hidedesc', 'int') ? GETPOST('hidedesc', 'int') : (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC) ? 1 : 0));
 $hideref = (GETPOST('hideref', 'int') ? GETPOST('hideref', 'int') : (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF) ? 1 : 0));

-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'ficheinter', $id, 'fichinter');
-
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('interventioncard', 'globalcard'));

@ -96,6 +90,12 @@ if ($id > 0 || !empty($ref)) {
 	}
 }

+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'ficheinter', $id, 'fichinter');
+
 $permissionnote = $user->rights->ficheinter->creer; // Used by the include of actions_setnotes.inc.php
 $permissiondellink = $user->rights->ficheinter->creer; // Used by the include of actions_dellink.inc.php

--- a/htdocs/fichinter/document.php
+++ b/htdocs/fichinter/document.php
@ -78,6 +78,8 @@ $object->fetch($id, $ref);
 $upload_dir = $conf->ficheinter->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'fichinter';

+$permissiontoadd = $user->rights->ficheinter->creer; // Used by the include of actions_setnotes.inc.php
+

 /*
 * Actions
--- a/htdocs/fourn/commande/document.php
+++ b/htdocs/fourn/commande/document.php
@ -46,12 +46,6 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');

-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'fournisseur', $id, 'commande_fournisseur', 'commande');
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST("sortfield", 'alpha');
@ -81,6 +75,15 @@ if ($object->fetch($id, $ref) < 0) {
 $upload_dir = $conf->fournisseur->commande->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $object->fetch_thirdparty();

+// Security check
+$socid = 0;
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'fournisseur', $id, 'commande_fournisseur', 'commande');
+
+$permissiontoadd = ($user->rights->fournisseur->commande->creer || $user->rights->supplier_order->creer); // Used by the include of actions_setnotes.inc.php
+

 /*
 * Actions
--- a/htdocs/fourn/facture/document.php
+++ b/htdocs/fourn/facture/document.php
@ -77,6 +77,8 @@ if ($object->fetch($id, $ref)) {
 	$upload_dir = $conf->fournisseur->facture->dir_output.'/'.get_exdir($object->id, 2, 0, 0, $object, 'invoice_supplier').$ref;
 }

+$permissiontoadd = ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer); // Used by the include of actions_setnotes.inc.php
+

 /*
 * Actions
--- a/htdocs/fourn/paiement/document.php
+++ b/htdocs/fourn/paiement/document.php
@ -79,6 +79,9 @@ if ($object->fetch($id, $ref)) {
 	$upload_dir = $conf->fournisseur->payment->dir_output.'/'.dol_sanitizeFileName($object->ref);
 }

+$permissiontoadd = ($user->rights->fournisseur->facture->creer || $user->rights->supplier_invoice->creer); // Used by the include of actions_setnotes.inc.php
+
+
 /*
 * Actions
 */
--- a/htdocs/holiday/document.php
+++ b/htdocs/holiday/document.php
@ -120,6 +120,7 @@ if ($user->socid) {
 }
 $result = restrictedArea($user, 'holiday', $object->id, 'holiday');

+$permissiontoadd = $user->rights->holiday->write; // Used by the include of actions_setnotes.inc.php


 /*
--- a/htdocs/knowledgemanagement/knowledgerecord_document.php
+++ b/htdocs/knowledgemanagement/knowledgerecord_document.php
@ -80,7 +80,7 @@ if ($id > 0 || !empty($ref)) {
 //if ($user->socid > 0) $socid = $user->socid;
 //$result = restrictedArea($user, 'knowledgemanagement', $object->id);

-$permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php
+$permissiontoadd = $user->rights->knowledgemanagement->knowledgerecord->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php



--- a/htdocs/loan/document.php
+++ b/htdocs/loan/document.php
@ -71,6 +71,8 @@ if ($id > 0) {
 $upload_dir = $conf->loan->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'loan';

+$permissiontoadd = $user->rights->loan->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
+

 /*
 * Actions
--- a/htdocs/mrp/mo_document.php
+++ b/htdocs/mrp/mo_document.php
@ -83,12 +83,14 @@ if ($id > 0 || !empty($ref)) {
 $isdraft = (($object->status == $object::STATUS_DRAFT) ? 1 : 0);
 $result = restrictedArea($user, 'mrp', $object->id, 'mrp_mo', '', 'fk_soc', 'rowid', $isdraft);

+$permissiontoadd = $user->rights->mrp->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php
+

 /*
 * Actions
 */

-include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
+include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php


 /*
--- a/htdocs/product/card.php
+++ b/htdocs/product/card.php
@ -179,6 +179,9 @@ if ($object->id > 0) {
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('productcard', 'globalcard'));

+$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire));
+$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
+$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer));


 /*
@ -189,9 +192,6 @@ if ($cancel) {
 	$action = '';
 }

-$usercanread = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->lire) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->lire));
-$usercancreate = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
-$usercandelete = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->supprimer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->supprimer));
 $createbarcode = empty($conf->barcode->enabled) ? 0 : 1;
 if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && empty($user->rights->barcode->creer_advance)) {
 	$createbarcode = 0;
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@ -96,8 +96,6 @@ if ($id > 0 || !empty($ref)) {
 $modulepart = 'produit';


-$permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
-
 if ($object->id > 0) {
 	if ($object->type == $object::TYPE_PRODUCT) {
 		restrictedArea($user, 'produit', $object->id, 'product&product', '', '');
@ -109,6 +107,8 @@ if ($object->id > 0) {
 	restrictedArea($user, 'produit|service', $fieldvalue, 'product&product', '', '', $fieldtype);
 }

+$permissiontoadd = (($object->type == Product::TYPE_PRODUCT && $user->rights->produit->creer) || ($object->type == Product::TYPE_SERVICE && $user->rights->service->creer));
+

 /*
 * Actions
--- a/htdocs/product/stock/card.php
+++ b/htdocs/product/stock/card.php
@ -87,6 +87,10 @@ if ($id > 0 || !empty($ref)) {
 	}
 }

+$usercanread = (($user->rights->stock->lire));
+$usercancreate = (($user->rights->stock->creer));
+$usercandelete = (($user->rights->stock->supprimer));
+

 /*
 * Actions
@ -94,10 +98,6 @@ if ($id > 0 || !empty($ref)) {

 $error = 0;

-$usercanread = (($user->rights->stock->lire));
-$usercancreate = (($user->rights->stock->creer));
-$usercandelete = (($user->rights->stock->supprimer));
-
 $parameters = array('id'=>$id, 'ref'=>$ref);
 $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
 if ($reshook < 0) {
--- a/htdocs/product/stock/productlot_document.php
+++ b/htdocs/product/stock/productlot_document.php
@ -100,6 +100,7 @@ if (empty($upload_dir)) {

 $permissiontoread = $usercanread;
 $permissiontoadd = $usercancreate;
+$permtoedit = $user->rights->produit->creer;
 //$permissiontodelete = $usercandelete;

 // Security check
@ -130,8 +131,6 @@ if (empty($reshook)) {
 	include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
 }

-$permtoedit = $user->rights->produit->creer;
-

 /*
 *	View
--- a/htdocs/projet/document.php
+++ b/htdocs/projet/document.php
@ -82,6 +82,7 @@ $socid = 0;
 //if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
 $result = restrictedArea($user, 'projet', $id, 'projet&project');

+$permissiontoadd = $user->rights->projet->creer;


 /*
--- a/htdocs/projet/tasks/document.php
+++ b/htdocs/projet/tasks/document.php
@ -74,6 +74,7 @@ $socid = 0;

 restrictedArea($user, 'projet', $object->fk_project, 'projet&project');

+$permissiontoadd = $$user->rights->mrp->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles.inc.php


 /*
--- a/htdocs/resource/agenda.php
+++ b/htdocs/resource/agenda.php
@ -71,14 +71,18 @@ if (!$sortorder) {
 	$sortorder = 'DESC,DESC';
 }

-$object = new DolResource($db);
-$object->fetch($id, $ref);
-
 // Initialize technical objects
 //$object=new MyObject($db);
 $extrafields = new ExtraFields($db);
 $hookmanager->initHooks(array('agendaresource'));

+$object = new DolResource($db);
+
+// Load object
+include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once.
+
+$result = restrictedArea($user, 'resource', $object->id, 'resource');
+
 // Security check
 if (!$user->rights->resource->read) {
 	accessforbidden();
--- a/htdocs/resource/card.php
+++ b/htdocs/resource/card.php
@ -48,10 +48,6 @@ if ($user->socid > 0) {
 	accessforbidden();
 }

-if (!$user->rights->resource->read) {
-	accessforbidden();
-}
-
 $object = new Dolresource($db);

 $extrafields = new ExtraFields($db);
@ -59,6 +55,14 @@ $extrafields = new ExtraFields($db);
 // fetch optionals attributes and labels
 $extrafields->fetch_name_optionals_label($object->table_element);

+// Load object
+include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once.
+
+
+$result = restrictedArea($user, 'resource', $object->id, 'resource');
+
+$permissiontoadd = $user->rights->resource->write; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php
+


 /*
--- a/htdocs/resource/contact.php
+++ b/htdocs/resource/contact.php
@ -38,14 +38,21 @@ $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');

+$object = new DolResource($db);
+
+// Load object
+include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once.
+
 // Security check
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'resource', $id, 'resource');
+$result = restrictedArea($user, 'resource', $object->id, 'resource');

-$object = new DolResource($db);
-$result = $object->fetch($id, $ref);
+// Security check
+if (!$user->rights->resource->read) {
+	accessforbidden();
+}


 /*
--- a/htdocs/resource/document.php
+++ b/htdocs/resource/document.php
@ -70,11 +70,17 @@ if (!$sortfield) {


 $object = new DolResource($db);
-$object->fetch($id, $ref);
+
+// Load object
+include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once.

 $upload_dir = $conf->resource->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'resource';

+$result = restrictedArea($user, 'resource', $object->id, 'resource');
+
+$permissiontoadd = $user->rights->resource->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
+

 /*
 * Actions
--- a/htdocs/resource/element_resource.php
+++ b/htdocs/resource/element_resource.php
@ -76,6 +76,7 @@ if ($socid > 0) { // Special for thirdparty
 	$element = 'societe';
 }

+// Permission is not permission on resources. We just make link here on objects.


 /*
--- a/htdocs/resource/list.php
+++ b/htdocs/resource/list.php
@ -66,10 +66,10 @@ $filter = array();

 $param = '';
 if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) {
-	$param .= '&amp;contextpage='.urlencode($contextpage);
+	$param .= '&contextpage='.urlencode($contextpage);
 }
 if ($limit > 0 && $limit != $conf->liste_limit) {
-	$param .= '&amp;limit='.urlencode($limit);
+	$param .= '&limit='.urlencode($limit);
 }

 if ($search_ref != '') {
@ -126,9 +126,6 @@ $offset = $limit * $page;
 $pageprev = $page - 1;
 $pagenext = $page + 1;

-if (!$user->rights->resource->read) {
-		accessforbidden();
-}
 $arrayfields = array(
 		't.ref' => array(
 				'label' => $langs->trans("Ref"),
@ -156,6 +153,10 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x'
 	$filter = array();
 }

+if (empty($user->rights->resource->read)) {
+	accessforbidden();
+}
+

 /*
 * Action
--- a/htdocs/resource/note.php
+++ b/htdocs/resource/note.php
@ -43,10 +43,12 @@ if ($user->socid) {
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('resourcenote'));

-$result = restrictedArea($user, 'resource', $id, 'resource');
-
 $object = new DolResource($db);
-$object->fetch($id, $ref);
+
+// Load object
+include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php'; // Must be include, not include_once.
+
+$result = restrictedArea($user, 'resource', $object->id, 'resource');

 $permissionnote = $user->rights->resource->write; // Used by the include of actions_setnotes.inc.php

--- a/htdocs/salaries/document.php
+++ b/htdocs/salaries/document.php
@ -104,6 +104,8 @@ if ($user->socid) {
 }
 restrictedArea($user, 'salaries', $object->id, 'salary', '');

+$permissiontoadd = $user->rights->salaries->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
+

 /*
 * Actions
--- a/htdocs/societe/document.php
+++ b/htdocs/societe/document.php
@ -85,6 +85,8 @@ if ($user->socid > 0) {
 }
 $result = restrictedArea($user, 'societe', $object->id, '&societe');

+$permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
+

 /*
 * Actions
--- a/htdocs/supplier_proposal/document.php
+++ b/htdocs/supplier_proposal/document.php
@ -73,6 +73,15 @@ $object->fetch($id, $ref);
 if ($object->id > 0) {
 	$object->fetch_thirdparty();
 	$upload_dir = $conf->supplier_proposal->dir_output.'/'.dol_sanitizeFileName($object->ref);
+}
+
+
+
+/*
+ * Actions
+ */
+
+if ($object->id > 0) {
 	include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
 }

@ -80,6 +89,7 @@ if ($object->id > 0) {
 /*
 * View
 */
+
 $title = $langs->trans('CommRequest')." - ".$langs->trans('Documents');
 $help_url = 'EN:Ask_Price_Supplier|FR:Demande_de_prix_fournisseur';
 llxHeader('', $title, $help_url);
--- a/htdocs/ticket/document.php
+++ b/htdocs/ticket/document.php
@ -70,7 +70,7 @@ if ($result < 0) {
 	$upload_dir = $conf->ticket->dir_output."/".dol_sanitizeFileName($object->ref);
 }

-$permissiontoadd = $user->rights->ticket->write;
+$permissiontoadd = $user->rights->ticket->write;	// Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles

 // Security check - Protection if external user
 $result = restrictedArea($user, 'ticket', $object->id);
--- a/htdocs/user/document.php
+++ b/htdocs/user/document.php
@ -60,7 +60,7 @@ if ($id) {
 	|| (($user->id != $id) && $user->rights->user->user->password));
 }

-$permissiontoadd = $caneditfield;
+$permissiontoadd = $caneditfield;	// Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
 $permtoedit = $caneditfield;

 // Security check
@ -107,6 +107,7 @@ if ($id > 0 || !empty($ref)) {
 $hookmanager->initHooks(array('usercard', 'userdoc', 'globalcard'));


+
 /*
 * Actions
 */
@ -139,8 +140,6 @@ if ($object->id) {
 	}
 	$head = user_prepare_head($object);

-	$form = new Form($db);
-
 	print dol_get_fiche_head($head, 'document', $langs->trans("User"), -1, 'user');

 	$linkback = '';
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@ -339,6 +339,7 @@ if ($action == 'replacesiteconfirm') {
 }

 $usercanedit = $user->rights->website->write;
+$permissiontoadd = $user->rights->website->write;	// Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
 $permissiontodelete = $user->rights->website->delete;


--- a/htdocs/workstation/workstation_document.php
+++ b/htdocs/workstation/workstation_document.php
@ -74,12 +74,12 @@ if ($id > 0 || !empty($ref)) {
 	$upload_dir = $conf->workstation->multidir_output[$object->entity ? $object->entity : $conf->entity]."/workstation/".get_exdir(0, 0, 0, 1, $object);
 }

-$permissiontoadd = $user->rights->workstation->workstation->write; // Used by the include of actions_addupdatedelete.inc.php
-
 // Security check
 $isdraft = 0;
 restrictedArea($user, $object->element, $object->id, $object->table_element, 'workstation', 'fk_soc', 'rowid', $isdraft);

+$permissiontoadd = $user->rights->workstation->workstation->write; // Used by the include of actions_addupdatedelete.inc.php and actions_linkedfiles
+

 /*
 * Actions