From b50f12cd0a518c650d12a3660274905b1ada7b6a Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Mon, 13 Mar 2006 13:19:24 +0000
Subject: [PATCH] =?UTF-8?q?Ajout=20de=20la=20permission=20"consulter=20tou?=
 =?UTF-8?q?s=20les=20clients"=20dans=20le=20module=20commercial,=20afin=20?=
 =?UTF-8?q?=20qu'un=20commercial=20puisse=20voir=20que=20les=20clients=20q?=
 =?UTF-8?q?ui=20lui=20sont=20affect=E9s.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 htdocs/contrat/fiche.php | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/htdocs/contrat/fiche.php b/htdocs/contrat/fiche.php
index 6d3fc3aaa56..0efa28f0981 100644
--- a/htdocs/contrat/fiche.php
+++ b/htdocs/contrat/fiche.php
@@ -38,10 +38,39 @@ $langs->load("orders");
 $langs->load("companies");
 
 $user->getrights('contrat');
+$user->getrights('commercial');
 
 if (! $user->rights->contrat->lire)
 accessforbidden();
 
+// Sécurité accés client et commerciaux
+$contratid = isset($_GET["id"])?$_GET["id"]:'';
+
+if ($user->societe_id > 0)
+{
+    $action = '';
+    $socidp = $user->societe_id;
+}
+
+// Protection restriction commercial
+if ($contratid)
+{
+        $sql = "SELECT sc.fk_soc, c.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c";
+        $sql .= " WHERE c.rowid = ".$contratid;
+        if (!$user->rights->commercial->client->voir && !$user->societe_id > 0)
+        {
+        	$sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id;
+        }
+        if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
+
 // Param si create
 $date_start='';
 $date_end='';
@@ -75,13 +104,6 @@ if ($_POST["date_end_real_updatemonth"] && $_POST["date_end_real_updateday"] &&
     $date_end_real_update=mktime(12, 0 , 0, $_POST["date_end_real_updatemonth"], $_POST["date_end_real_updateday"], $_POST["date_end_real_updateyear"]);
 }
 
-// Sécurité accés client
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socidp = $user->societe_id;
-}
-
 
 /*
  * Actions