From b670de36a9f511eafb7bfd55279faa922545c2d1 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Wed, 11 Jan 2012 22:07:17 +0800
Subject: [PATCH] Fix: add entity 0 for users and groups

---
 htdocs/comm/prospect/fiche.php    |  4 ++--
 htdocs/core/lib/functions.lib.php |  9 ++++++++-
 htdocs/user/fiche.php             |  6 +++---
 htdocs/user/group/fiche.php       |  4 ++--
 htdocs/user/group/ldap.php        |  9 ++++-----
 htdocs/user/group/perms.php       |  2 +-
 htdocs/user/info.php              |  3 ++-
 htdocs/user/ldap.php              | 16 ++++++----------
 htdocs/user/note.php              | 11 ++++-------
 htdocs/user/param_ihm.php         |  4 ++--
 htdocs/user/perms.php             | 12 ++++++------
 11 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/htdocs/comm/prospect/fiche.php b/htdocs/comm/prospect/fiche.php
index 8759e431483..82a79a17387 100644
--- a/htdocs/comm/prospect/fiche.php
+++ b/htdocs/comm/prospect/fiche.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -39,7 +39,7 @@ $langs->load('propal');
 // Security check
 $socid = GETPOST("socid");
 if ($user->societe_id) $socid=$user->societe_id;
-$result = restrictedArea($user, 'societe',$socid,'');
+$result = restrictedArea($user, 'societe', $socid, '&societe');
 
 
 /*
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 8227e33f119..25f78395f6d 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -210,7 +210,14 @@ function getEntity($element=false, $shared=false)
 	}
 	else
 	{
-		return $conf->entity;
+		$out='';
+		
+		$addzero = array('user', 'usergroup');
+		if (in_array($element, $addzero)) $out.= '0,';
+		
+		$out.= $conf->entity;
+		
+		return $out;
 	}
 }
 
diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php
index 5cb79c1b98d..5db8e190e82 100644
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@@ -3,7 +3,7 @@
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Eric Seigne          <eric.seigne@ryxeo.com>
- * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  * Copyright (C) 2005      Lionel Cousteix      <etm_ltd@tiscali.co.uk>
  * Copyright (C) 2011      Herve Prot           <herve.prot@symeos.com>
  *
@@ -64,7 +64,7 @@ if ($id)
 }
 
 //Multicompany in mode transversal
-if(! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->multicompany->transverse_mode)
+if (! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->multicompany->transverse_mode)
 {
     accessforbidden();
 }
@@ -74,7 +74,7 @@ $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2='user';
 if ($user->id == $id) { $feature2=''; $canreaduser=1; } // A user can always read its own card
-$result = restrictedArea($user, 'user', $id, '', $feature2);
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 if ($user->id <> $id && ! $canreaduser) accessforbidden();
 
 $langs->load("users");
diff --git a/htdocs/user/group/fiche.php b/htdocs/user/group/fiche.php
index 105057af858..9bf6c38b66b 100644
--- a/htdocs/user/group/fiche.php
+++ b/htdocs/user/group/fiche.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2005      Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2005-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  * Copyright (C) 2011      Herve Prot           <herve.prot@symeos.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -49,7 +49,7 @@ $confirm=GETPOST("confirm");
 $userid=GETPOST("user","int");
 
 // Security check
-$result = restrictedArea($user, 'user', $_GET["id"], 'usergroup', 'user');
+$result = restrictedArea($user, 'user', $id, 'usergroup&usergroup', 'user');
 
 if(! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->multicompany->transverse_mode)
 {
diff --git a/htdocs/user/group/ldap.php b/htdocs/user/group/ldap.php
index 01be80d3564..4275fc08a79 100644
--- a/htdocs/user/group/ldap.php
+++ b/htdocs/user/group/ldap.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2006-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2006      Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2006-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -39,8 +39,7 @@ if (! empty($conf->global->MAIN_USE_ADVANCED_PERMS))
 	$canreadperms=($user->admin || $user->rights->user->group_advance->read);
 }
 
-// Protection quand utilisateur externe
-$contactid = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id', 'int');
 
 $socid=0;
 if ($user->societe_id > 0)
@@ -48,8 +47,8 @@ if ($user->societe_id > 0)
     $socid = $user->societe_id;
 }
 
-$fgroup = new Usergroup($db, $_GET["id"]);
-$fgroup->fetch($_GET["id"]);
+$fgroup = new Usergroup($db);
+$fgroup->fetch($id);
 $fgroup->getrights();
 
 
diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php
index 20fcbf02931..9b367e7aeb4 100644
--- a/htdocs/user/group/perms.php
+++ b/htdocs/user/group/perms.php
@@ -3,7 +3,7 @@
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Eric Seigne          <eric.seigne@ryxeo.com>
- * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
diff --git a/htdocs/user/info.php b/htdocs/user/info.php
index b003c6f59da..64ca2fb6c81 100644
--- a/htdocs/user/info.php
+++ b/htdocs/user/info.php
@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2004-2007 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -41,7 +42,7 @@ if ($user->id == $id)	// A user can always read its own card
 {
 	$feature2='';
 }
-$result = restrictedArea($user, 'user', $id, '', $feature2);
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 
 // If user is not user read and no permission to read other users, we stop
 if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
diff --git a/htdocs/user/ldap.php b/htdocs/user/ldap.php
index 131ec6de54c..47dfb03d81a 100644
--- a/htdocs/user/ldap.php
+++ b/htdocs/user/ldap.php
@@ -1,6 +1,6 @@
 <?php
-/* Copyright (C) 2006 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2006 Regis Houssin        <regis@dolibarr.fr>
+/* Copyright (C) 2006-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2006-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -32,21 +32,17 @@ $langs->load("admin");
 $langs->load("companies");
 $langs->load("ldap");
 
-// Protection quand utilisateur externe
-$contactid = isset($_GET["id"])?$_GET["id"]:'';
+$id = GETPOST('id', 'int');
 
 // Security check
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
-if ($user->id == $_GET["id"])	// A user can always read its own card
-{
-    $feature2='';
-}
-$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
+if ($user->id == $id) $feature2=''; // A user can always read its own card
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 
 $fuser = new User($db);
-$fuser->fetch($_GET["id"]);
+$fuser->fetch($id);
 $fuser->getrights();
 
 
diff --git a/htdocs/user/note.php b/htdocs/user/note.php
index a07a02ed8ce..33ea1745b27 100644
--- a/htdocs/user/note.php
+++ b/htdocs/user/note.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2004      Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -38,18 +39,14 @@ $fuser = new User($db);
 $fuser->fetch($id);
 
 // If user is not user read and no permission to read other users, we stop
-if (($fuser->id != $user->id) && (! $user->rights->user->user->lire))
-  accessforbidden();
+if (($fuser->id != $user->id) && (! $user->rights->user->user->lire)) accessforbidden();
 
 // Security check
 $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 $feature2 = (($socid && $user->rights->user->self->creer)?'':'user');
-if ($user->id == $_GET["id"])	// A user can always read its own card
-{
-	$feature2='';
-}
-$result = restrictedArea($user, 'user', $_GET["id"], '', $feature2);
+if ($user->id == $id) $feature2=''; // A user can always read its own card
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 
 
 
diff --git a/htdocs/user/param_ihm.php b/htdocs/user/param_ihm.php
index add72a4ffb0..c58e6a7cb6a 100644
--- a/htdocs/user/param_ihm.php
+++ b/htdocs/user/param_ihm.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2005-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2010      Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2010-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -54,7 +54,7 @@ if ($user->id == $id)	// A user can always read its own card
     $feature2='';
     $canreaduser=1;
 }
-$result = restrictedArea($user, 'user', $id, '', $feature2);
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 if ($user->id <> $id && ! $canreaduser) accessforbidden();
 
 $dirtop = "../core/menus/standard";
diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php
index 8c3cd5de551..c9064ca263f 100644
--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@@ -3,7 +3,7 @@
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2004      Eric Seigne          <eric.seigne@ryxeo.com>
- * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -30,10 +30,10 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/usergroups.lib.php");
 $langs->load("users");
 $langs->load("admin");
 
-$id=GETPOST('id','int');
-$action=GETPOST("action");
-$confirm=GETPOST("confirm");
-$module=GETPOST("module");
+$id=GETPOST('id', 'int');
+$action=GETPOST('action', 'alpha');
+$confirm=GETPOST('confirm', 'alpha');
+$module=GETPOST('module');
 
 if (! isset($id) || empty($id)) accessforbidden();
 
@@ -58,7 +58,7 @@ if ($user->id == $id)	// A user can always read its own card
 	$feature2='';
 	$canreaduser=1;
 }
-$result = restrictedArea($user, 'user', $id, '', $feature2);
+$result = restrictedArea($user, 'user', $id, '&user', $feature2);
 if ($user->id <> $id && ! $canreaduser) accessforbidden();