From 25686e82c9f5043dbadd9ba496707e0a13dceced Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis.houssin@capnetworks.com>
Date: Thu, 3 Mar 2016 08:41:39 +0100
Subject: [PATCH] Fix: best compatibility with multicompany and others security
 issue

---
 htdocs/holiday/card.php                       | 158 ++++++++----------
 htdocs/holiday/class/holiday.class.php        |  60 +++++--
 htdocs/holiday/define_holiday.php             |  29 ++--
 htdocs/holiday/list.php                       |  14 +-
 .../install/mysql/migration/3.8.0-3.9.0.sql   |   1 +
 .../install/mysql/tables/llx_holiday.key.sql  |   4 +-
 6 files changed, 142 insertions(+), 124 deletions(-)

diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php
index 59c920c26ca..8cae9592033 100644
--- a/htdocs/holiday/card.php
+++ b/htdocs/holiday/card.php
@@ -1,9 +1,9 @@
 <?php
-/* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
- * Copyright (C) 2012-2015 Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
- * Copyright (C) 2013	   Juanjo Menent		<jmenent@2byte.es>
- * Copyright (C) 2014	   Ferran Marcet		<fmarcet@2byte.es>
+/* Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
+ * Copyright (C) 2012-2015	Laurent Destailleur	<eldy@users.sourceforge.net>
+ * Copyright (C) 2012-2016	Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2013		Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2014		Ferran Marcet		<fmarcet@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -91,23 +91,23 @@ if ($action == 'create')
 	        $error++;
 	        $action='create';
 	    }
-	    
+
 	    // If no start date
 	    if (empty($date_debut))
 	    {
-	        header('Location: card.php?action=request&error=nodatedebut');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=nodatedebut');
 	        exit;
 	    }
 	    // If no end date
 	    if (empty($date_fin))
 	    {
-	        header('Location: card.php?action=request&error=nodatefin');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=nodatefin');
 	        exit;
 	    }
 	    // If start date after end date
 	    if ($date_debut > $date_fin)
 	    {
-	        header('Location: card.php?action=request&error=datefin');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=datefin');
 	        exit;
 	    }
 
@@ -115,15 +115,15 @@ if ($action == 'create')
 	    $verifCP = $cp->verifDateHolidayCP($userID, $date_debut, $date_fin, $halfday);
 	    if (! $verifCP)
 	    {
-	        header('Location: card.php?action=request&error=alreadyCP');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=alreadyCP');
 	        exit;
 	    }
 
-	    // If there is no Business Days within request 
+	    // If there is no Business Days within request
 	    $nbopenedday=num_open_day($date_debut_gmt, $date_fin_gmt, 0, 1, $halfday);
 	    if($nbopenedday < 0.5)
 	    {
-	        header('Location: card.php?action=request&error=DureeHoliday');
+	        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=DureeHoliday');
 	        exit;
 	    }
 
@@ -137,7 +137,7 @@ if ($action == 'create')
 	    $result = 0;
 
 	    $result = 0;
-	    
+
 	    if (! $error)
 	    {
     	    $cp->fk_user = $userid;
@@ -147,16 +147,16 @@ if ($action == 'create')
     	    $cp->fk_validator = $valideur;
     		$cp->halfday = $halfday;
     		$cp->fk_type = $type;
-    
+
     		$result = $cp->create($user);
 	    }
-	    
+
 	    // If no SQL error we redirect to the request card
 	    if (! $error && $result > 0)
 	    {
 			$db->commit();
 
-	    	header('Location: card.php?id='.$result);
+	    	header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
 	        exit;
 	    }
 	    else
@@ -179,15 +179,15 @@ if ($action == 'update')
 	else if ($starthalfday == 'afternoon') $halfday=-1;
 	else if ($endhalfday == 'morning') $halfday=1;
 
-    // If no right to modify a request 
+    // If no right to modify a request
     if (! $user->rights->holiday->write)
     {
-        header('Location: card.php?action=request&error=CantUpdate');
+        header('Location: '.$_SERVER["PHP_SELF"].'?action=request&error=CantUpdate');
         exit;
     }
 
     $cp = new Holiday($db);
-    $cp->fetch($_POST['holiday_id']);
+    $cp->fetch($id);
 
 	$canedit=(($user->id == $cp->fk_user && $user->rights->holiday->write) || ($user->id != $cp->fk_user && $user->rights->holiday->write_all));
 
@@ -202,25 +202,25 @@ if ($action == 'update')
 
             // If no start date
             if (empty($_POST['date_debut_'])) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=nodatedebut');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=nodatedebut');
                 exit;
             }
 
             // If no end date
             if (empty($_POST['date_fin_'])) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=nodatefin');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=nodatefin');
                 exit;
             }
 
             // If start date after end date
             if ($date_debut > $date_fin) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=datefin');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=datefin');
                 exit;
             }
 
             // If no validator designated
             if ($valideur < 1) {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=Valideur');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=Valideur');
                 exit;
             }
 
@@ -228,7 +228,7 @@ if ($action == 'update')
             $nbopenedday=num_open_day($date_debut_gmt, $date_fin_gmt, 0, 1, $halfday);
             if ($nbopenedday < 0.5)
             {
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=DureeHoliday');
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=DureeHoliday');
                 exit;
             }
 
@@ -242,18 +242,18 @@ if ($action == 'update')
 			$verif = $cp->update($user->id);
             if ($verif > 0)
             {
-                header('Location: card.php?id='.$_POST['holiday_id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                 exit;
             }
             else
            {
                 // Otherwise we display the request form with the SQL error message
-                header('Location: card.php?id='.$_POST['holiday_id'].'&action=edit&error=SQL_Create&msg='.$cp->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit&error=SQL_Create&msg='.$cp->error);
                 exit;
             }
         }
     } else {
-        header('Location: card.php?id='.$_POST['holiday_id']);
+        header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
         exit;
     }
 }
@@ -276,7 +276,7 @@ if ($action == 'confirm_delete' && GETPOST('confirm') == 'yes' && $user->rights-
 		// Si l'utilisateur à le droit de lire cette demande, il peut la supprimer
 		if ($canedit)
 		{
-			$result=$cp->delete($id);
+			$result=$cp->delete($cp->id);
 		}
 		else
 		{
@@ -303,7 +303,7 @@ if ($action == 'confirm_send')
     $cp->fetch($id);
 
     $canedit=(($user->id == $cp->fk_user && $user->rights->holiday->write) || ($user->id != $cp->fk_user && $user->rights->holiday->write_all));
-    
+
     // Si brouillon et créateur
     if($cp->statut == 1 && $canedit)
     {
@@ -321,7 +321,7 @@ if ($action == 'confirm_send')
 
             if (!$emailTo)
             {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                 exit;
             }
 
@@ -370,7 +370,7 @@ if ($action == 'confirm_send')
             $message.= "\n";
             $message.= "- ".$langs->transnoentitiesnoconv("Name")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
             $message.= "- ".$langs->transnoentitiesnoconv("Period")." : ".dol_print_date($cp->date_debut,'day')." ".$langs->transnoentitiesnoconv("To")." ".dol_print_date($cp->date_fin,'day')."\n";
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
             $message.= "\n";
 
             $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -380,16 +380,16 @@ if ($action == 'confirm_send')
 
             if (!$result)
             {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                 exit;
             }
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
             exit;
         }
         else
         {
             // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
             exit;
         }
     }
@@ -433,7 +433,7 @@ if ($action == 'confirm_valid')
 
             if (!$emailTo)
             {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                 exit;
             }
 
@@ -455,7 +455,7 @@ if ($action == 'confirm_valid')
 
             $message.= "- ".$langs->transnoentitiesnoconv("ValidatedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
 
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
             $message.= "\n";
 
             $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -464,15 +464,15 @@ if ($action == 'confirm_valid')
             $result=$mail->sendfile();
 
             if(!$result) {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                 exit;
             }
 
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
             exit;
         } else {
             // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
             exit;
         }
 
@@ -485,7 +485,7 @@ if ($action == 'confirm_refuse')
     if (! empty($_POST['detail_refuse']))
     {
         $cp = new Holiday($db);
-        $cp->fetch($_GET['id']);
+        $cp->fetch($id);
 
         // Si statut en attente de validation et valideur = utilisateur
         if ($cp->statut == 2 && $user->id == $cp->fk_validator)
@@ -507,7 +507,7 @@ if ($action == 'confirm_refuse')
 
                 if (!$emailTo)
                 {
-                    header('Location: card.php?id='.$_GET['id']);
+                    header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                     exit;
                 }
 
@@ -530,7 +530,7 @@ if ($action == 'confirm_refuse')
 
 	            $message.= "- ".$langs->transnoentitiesnoconv("ModifiedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
 
-	            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+	            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
                 $message.= "\n";
 
                 $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -539,22 +539,22 @@ if ($action == 'confirm_refuse')
                 $result=$mail->sendfile();
 
                 if(!$result) {
-                    header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                    header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                     exit;
                 }
 
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                 exit;
             } else {
                 // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-                header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
                 exit;
             }
 
         }
 
     } else {
-        header('Location: card.php?id='.$_GET['id'].'&error=NoMotifRefuse');
+        header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=NoMotifRefuse');
         exit;
     }
 }
@@ -563,7 +563,7 @@ if ($action == 'confirm_refuse')
 if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
 {
     $cp = new Holiday($db);
-    $cp->fetch($_GET['id']);
+    $cp->fetch($id);
 
     // Si statut en attente de validation et valideur = utilisateur
     if (($cp->statut == 2 || $cp->statut == 3) && ($user->id == $cp->fk_validator || $user->id == $cp->fk_user))
@@ -616,7 +616,7 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
 
             if (!$emailTo)
             {
-                header('Location: card.php?id='.$_GET['id']);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
                 exit;
             }
 
@@ -638,7 +638,7 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
             $message.= $langs->transnoentities("HolidaysCanceledBody", dol_print_date($cp->date_debut,'day'), dol_print_date($cp->date_fin,'day'))."\n";
             $message.= "- ".$langs->transnoentitiesnoconv("ModifiedBy")." : ".dolGetFirstLastname($expediteur->firstname, $expediteur->lastname)."\n";
 
-            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->rowid."\n\n";
+            $message.= "- ".$langs->transnoentitiesnoconv("Link")." : ".$dolibarr_main_url_root."/holiday/card.php?id=".$cp->id."\n\n";
             $message.= "\n";
 
             $mail = new CMailFile($subject,$emailTo,$emailFrom,$message);
@@ -648,17 +648,17 @@ if ($action == 'confirm_cancel' && GETPOST('confirm') == 'yes')
 
             if(!$result)
             {
-                header('Location: card.php?id='.$_GET['id'].'&error=mail&error_content='.$mail->error);
+                header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=mail&error_content='.$mail->error);
                 exit;
             }
 
-            header('Location: card.php?id='.$_GET['id']);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id);
             exit;
         }
         else
         {
             // Sinon on affiche le formulaire de demande avec le message d'erreur SQL
-            header('Location: card.php?id='.$_GET['id'].'&error=SQL_Create&msg='.$cp->error);
+            header('Location: '.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&error=SQL_Create&msg='.$cp->error);
             exit;
         }
 
@@ -852,13 +852,8 @@ if (empty($id) || $action == 'add' || $action == 'request' || $action == 'create
         // Approved by
         print '<tr>';
         print '<td class="fieldrequired">'.$langs->trans("ReviewedByCP").'</td>';
-        $validator = new UserGroup($db);
-        $excludefilter=$user->admin?'':'u.rowid <> '.$user->id;
-        $valideurobjects = $validator->listUsersForGroup($excludefilter);
-        $valideurarray = array();
-        foreach($valideurobjects as $val) $valideurarray[$val->id]=$val->id;
         print '<td>';
-        print $form->select_dolusers((GETPOST('valideur')>0?GETPOST('valideur'):$user->fk_user), "valideur", 1, "", 0, $valideurarray, 0, 0, 0, 0, '', 0, '', '', 1);	// By default, hierarchical parent
+        print $form->select_dolusers((GETPOST('valideur')>0?GETPOST('valideur'):$user->fk_user), "valideur", 1, ($user->admin ? '' : array($user->id)), 0, '', 0, 0, 0, 0, '', 0, '', '', 1);	// By default, hierarchical parent
         print '</td>';
         print '</tr>';
 
@@ -952,35 +947,35 @@ else
             {
                 if ($action == 'delete')
                 {
-                    if($user->rights->holiday->delete)
+                    if ($user->rights->holiday->delete)
                     {
-                        print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleDeleteCP"),$langs->trans("ConfirmDeleteCP"),"confirm_delete", '', 0, 1);
+                        print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleDeleteCP"),$langs->trans("ConfirmDeleteCP"),"confirm_delete", '', 0, 1);
                     }
                 }
 
                 // Si envoi en validation
                 if ($action == 'sendToValidate' && $cp->statut == 1)
                 {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleToValidCP"),$langs->trans("ConfirmToValidCP"),"confirm_send", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleToValidCP"),$langs->trans("ConfirmToValidCP"),"confirm_send", '', 1, 1);
                 }
 
                 // Si validation de la demande
                 if ($action == 'valid')
                 {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleValidCP"),$langs->trans("ConfirmValidCP"),"confirm_valid", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleValidCP"),$langs->trans("ConfirmValidCP"),"confirm_valid", '', 1, 1);
                 }
 
                 // Si refus de la demande
                 if ($action == 'refuse')
                 {
                     $array_input = array(array('type'=>"text",'label'=> $langs->trans('DetailRefusCP'),'name'=>"detail_refuse",'size'=>"50",'value'=>""));
-                    print $form->formconfirm("card.php?id=".$id."&action=confirm_refuse", $langs->trans("TitleRefuseCP"), $langs->trans('ConfirmRefuseCP'), "confirm_refuse", $array_input, 1, 0);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id."&action=confirm_refuse", $langs->trans("TitleRefuseCP"), $langs->trans('ConfirmRefuseCP'), "confirm_refuse", $array_input, 1, 0);
                 }
 
                 // Si annulation de la demande
                 if ($action == 'cancel')
                 {
-                    print $form->formconfirm("card.php?id=".$id,$langs->trans("TitleCancelCP"),$langs->trans("ConfirmCancelCP"),"confirm_cancel", '', 1, 1);
+                    print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$cp->id,$langs->trans("TitleCancelCP"),$langs->trans("ConfirmCancelCP"),"confirm_cancel", '', 1, 1);
                 }
 
                 $head=holiday_prepare_head($cp);
@@ -989,13 +984,13 @@ else
                 if ($action == 'edit' && $cp->statut == 1)
                 {
                     $edit = true;
-                    print '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$id.'">'."\n";
+                    print '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$cp->id.'">'."\n";
                     print '<input type="hidden" name="action" value="update"/>'."\n";
-                    print '<input type="hidden" name="holiday_id" value="'.$id.'" />'."\n";
+                    print '<input type="hidden" name="id" value="'.$cp->id.'" />'."\n";
                 }
 
                 dol_fiche_head($head,'card',$langs->trans("CPTitreMenu"),0,'holiday');
-                
+
                 print '<table class="border" width="100%">';
                 print '<tbody>';
 
@@ -1132,15 +1127,8 @@ else
                 } else {
                     print '<tr>';
                     print '<td width="50%">'.$langs->trans('ReviewedByCP').'</td>';
-
-			        $validator = new UserGroup($db);
-			        $excludefilter=$user->admin?'':'u.rowid <> '.$user->id;
-			        $valideurobjects = $validator->listUsersForGroup($excludefilter);
-			        $valideurarray = array();
-			        foreach($valideurobjects as $val) $valideurarray[$val->id]=$val->id;
-
                     print '<td>';
-        			print $form->select_dolusers($user->fk_user, "valideur", 1, "", 0, $valideurarray);	// By default, hierarchical parent
+        			print $form->select_dolusers($cp->fk_user, "valideur", 1, ($user->admin ? '' : array($user->id)));	// By default, hierarchical parent
                     print '</td>';
                     print '</tr>';
                 }
@@ -1149,19 +1137,19 @@ else
                 print '<td>'.$langs->trans('DateCreateCP').'</td>';
                 print '<td>'.dol_print_date($cp->date_create,'dayhour').'</td>';
                 print '</tr>';
-                if($cp->statut == 3) {
+                if ($cp->statut == 3) {
                     print '<tr>';
                     print '<td>'.$langs->trans('DateValidCP').'</td>';
                     print '<td>'.dol_print_date($cp->date_valid,'dayhour').'</td>';
                     print '</tr>';
                 }
-                if($cp->statut == 4) {
+                if ($cp->statut == 4) {
                     print '<tr>';
                     print '<td>'.$langs->trans('DateCancelCP').'</td>';
                     print '<td>'.dol_print_date($cp->date_cancel,'dayhour').'</td>';
                     print '</tr>';
                 }
-                if($cp->statut == 5) {
+                if ($cp->statut == 5) {
                     print '<tr>';
                     print '<td>'.$langs->trans('DateRefusCP').'</td>';
                     print '<td>'.dol_print_date($cp->date_refuse,'dayhour').'</td>';
@@ -1171,7 +1159,7 @@ else
                 print '</table>';
 
                 dol_fiche_end();
-                
+
                 if ($action == 'edit' && $cp->statut == 1)
                 {
                     print '<div align="center">';
@@ -1192,26 +1180,26 @@ else
                     // Boutons d'actions
                     if ($canedit && $cp->statut == 1)
                     {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=edit" class="butAction">'.$langs->trans("EditCP").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=edit" class="butAction">'.$langs->trans("EditCP").'</a>';
                     }
                     if ($canedit && $cp->statut == 1)
                     {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=sendToValidate" class="butAction">'.$langs->trans("Validate").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=sendToValidate" class="butAction">'.$langs->trans("Validate").'</a>';
                     }
                     if ($user->rights->holiday->delete && $cp->statut == 1)	// If draft
                     {
-                    	print '<a href="card.php?id='.$_GET['id'].'&action=delete" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
+                    	print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=delete" class="butActionDelete">'.$langs->trans("DeleteCP").'</a>';
                     }
 
                     if ($user->id == $cp->fk_validator && $cp->statut == 2)
                     {
-                        print '<a href="card.php?id='.$_GET['id'].'&action=valid" class="butAction">'.$langs->trans("Approve").'</a>';
-                        print '<a href="card.php?id='.$_GET['id'].'&action=refuse" class="butAction">'.$langs->trans("ActionRefuseCP").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=valid" class="butAction">'.$langs->trans("Approve").'</a>';
+                        print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=refuse" class="butAction">'.$langs->trans("ActionRefuseCP").'</a>';
                     }
 
                     if (($user->id == $cp->fk_validator || $user->id == $cp->fk_user) && ($cp->statut == 2 || $cp->statut == 3))	// Status validated or approved
                     {
-                    	if (($cp->date_debut > dol_now()) || $user->admin) print '<a href="card.php?id='.$_GET['id'].'&action=cancel" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
+                    	if (($cp->date_debut > dol_now()) || $user->admin) print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$cp->id.'&action=cancel" class="butAction">'.$langs->trans("ActionCancelCP").'</a>';
                     	else print '<a href="#" class="butActionRefused" title="'.$langs->trans("HolidayStarted").'">'.$langs->trans("ActionCancelCP").'</a>';
                     }
 
diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php
index 1d1c624aa4c..4e5706f94c6 100644
--- a/htdocs/holiday/class/holiday.class.php
+++ b/htdocs/holiday/class/holiday.class.php
@@ -1,8 +1,8 @@
 <?php
-/* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
- * Copyright (C) 2012-2014 Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
- * Copyright (C) 2013      Florian Henry        <florian.henry@open-concept.pro>
+/* Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
+ * Copyright (C) 2012-2014	Laurent Destailleur	<eldy@users.sourceforge.net>
+ * Copyright (C) 2012-2016	Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2013		Florian Henry		<florian.henry@open-concept.pro>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -35,7 +35,7 @@ class Holiday extends CommonObject
 	public $table_element='holiday';
 	protected $isnolinkedbythird = 1;     // No field fk_soc
 	protected $ismultientitymanaged = 0;	// 0=No test on entity, 1=Test with field entity, 2=Test with link by societe
-	
+
 	/**
 	 * @deprecated
 	 * @see id
@@ -161,7 +161,7 @@ class Holiday extends CommonObject
 
         if (! $error)
         {
-            $this->rowid = $this->db->last_insert_id(MAIN_DB_PREFIX."holiday");
+            $this->id = $this->db->last_insert_id(MAIN_DB_PREFIX."holiday");
         }
 
         // Commit or rollback
@@ -178,7 +178,7 @@ class Holiday extends CommonObject
         else
         {
             $this->db->commit();
-            return $this->rowid;
+            return $this->id;
         }
     }
 
@@ -301,7 +301,8 @@ class Holiday extends CommonObject
         $sql.= " ua.firstname as validator_firstname";
 
         $sql.= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
-		$sql.= " WHERE cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
+        $sql.= " WHERE cp.entity IN (".getEntity('holiday', 1).")";
+		$sql.= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
         $sql.= " AND cp.fk_user = '".$user_id."'";
 
         // Filtre de séléction
@@ -413,7 +414,8 @@ class Holiday extends CommonObject
         $sql.= " ua.firstname as validator_firstname";
 
         $sql.= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
-        $sql.= " WHERE cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
+        $sql.= " WHERE cp.entity IN (".getEntity('holiday', 1).")";
+        $sql.= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid "; // Hack pour la recherche sur le tableau
 
         // Filtrage de séléction
         if(!empty($filter)) {
@@ -560,7 +562,7 @@ class Holiday extends CommonObject
             $sql.= " detail_refuse = NULL";
         }
 
-        $sql.= " WHERE rowid= '".$this->rowid."'";
+        $sql.= " WHERE rowid= '".$this->id."'";
 
         $this->db->begin();
 
@@ -607,7 +609,7 @@ class Holiday extends CommonObject
         $error=0;
 
         $sql = "DELETE FROM ".MAIN_DB_PREFIX."holiday";
-        $sql.= " WHERE rowid=".$this->rowid;
+        $sql.= " WHERE rowid=".$this->id;
 
         $this->db->begin();
 
@@ -1112,16 +1114,29 @@ class Holiday extends CommonObject
      */
     function fetchUsers($stringlist=true,$type=true)
     {
+    	global $conf;
+
         // Si vrai donc pour user Dolibarr
         if ($stringlist)
         {
-            if($type)
+            if ($type)
             {
                 // Si utilisateur de Dolibarr
 
                 $sql = "SELECT u.rowid";
                 $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
-                $sql.= " WHERE statut > 0";
+
+                if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
+                {
+                	$sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
+                	$sql.= " WHERE (ug.fk_user = u.rowid";
+                	$sql.= " AND ug.entity = ".$conf->entity.")";
+                	$sql.= " OR u.admin = 1";
+                }
+                else
+                	$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
+
+                $sql.= " AND u.statut > 0";
 
                 dol_syslog(get_class($this)."::fetchUsers", LOG_DEBUG);
                 $resql=$this->db->query($sql);
@@ -1138,7 +1153,7 @@ class Holiday extends CommonObject
                     {
                         $obj = $this->db->fetch_object($resql);
 
-                        if($i == 0) {
+                        if ($i == 0) {
                             $stringlist.= $obj->rowid;
                         } else {
                             $stringlist.= ', '.$obj->rowid;
@@ -1158,7 +1173,7 @@ class Holiday extends CommonObject
 
             }
             else
-           {
+            {
            		// We want only list of user id
                 $sql = "SELECT DISTINCT cpu.fk_user";
                 $sql.= " FROM ".MAIN_DB_PREFIX."holiday_users as cpu";
@@ -1199,14 +1214,25 @@ class Holiday extends CommonObject
 
         }
         else
-       { // Si faux donc user Congés Payés
+        { // Si faux donc user Congés Payés
 
             // List for Dolibarr users
             if ($type)
             {
                 $sql = "SELECT u.rowid, u.lastname, u.firstname";
                 $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
-                $sql.= " WHERE statut > 0";
+
+                if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode))
+                {
+                	$sql.= ", ".MAIN_DB_PREFIX."usergroup_user as ug";
+                	$sql.= " WHERE (ug.fk_user = u.rowid";
+                	$sql.= " AND ug.entity = ".$conf->entity.")";
+                	$sql.= " OR u.admin = 1";
+                }
+                else
+                	$sql.= " WHERE u.entity IN (0,".$conf->entity.")";
+
+                $sql.= " AND u.statut > 0";
 
                 dol_syslog(get_class($this)."::fetchUsers", LOG_DEBUG);
                 $resql=$this->db->query($sql);
diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php
index 71d286348e8..c181036a0da 100644
--- a/htdocs/holiday/define_holiday.php
+++ b/htdocs/holiday/define_holiday.php
@@ -1,7 +1,8 @@
 <?php
-/* Copyright (C) 2007-2015 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2011      Dimitri Mouillard <dmouillard@teclib.com>
- * Copyright (C) 2013      Marcos García <marcosgdf@gmail.com>
+/* Copyright (C) 2007-2015	Laurent Destailleur	<eldy@users.sourceforge.net>
+ * Copyright (C) 2011		Dimitri Mouillard	<dmouillard@teclib.com>
+ * Copyright (C) 2013		Marcos García		<marcosgdf@gmail.com>
+ * Copyright (C) 2016		Regis Houssin		<regis.houssin@capnetworks.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -132,7 +133,7 @@ elseif($action == 'add_event')
         $new_holiday = $nb_holiday + $add_holiday;
 
         // add event to existing types of vacation
-        foreach ($typeleaves as $key => $leave) 
+        foreach ($typeleaves as $key => $leave)
         {
         	$vacationTypeID = $leave['rowid'];
 
@@ -160,7 +161,7 @@ print load_fiche_titre($langs->trans('MenuConfCP'), '', 'title_hrm.png');
 
 print '<div class="info">'.$langs->trans('LastUpdateCP').': '."\n";
 $lastUpdate = $holiday->getConfCP('lastUpdate');
-if ($lastUpdate) 
+if ($lastUpdate)
 {
     $monthLastUpdate = $lastUpdate[4].$lastUpdate[5];
     $yearLastUpdate = $lastUpdate[0].$lastUpdate[1].$lastUpdate[2].$lastUpdate[3];
@@ -215,7 +216,7 @@ else
 {
     print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">'."\n";
     print '<input type="hidden" name="action" value="update" />';
-    
+
     print '<table class="noborder" width="100%;">';
     print "<tr class=\"liste_titre\">";
     print '<td width="55%">'.$langs->trans('Employee').'</td>';
@@ -233,12 +234,12 @@ else
     print '<td width="20%" style="text-align:center">'.$langs->trans('Note').'</td>';
     print '<td></td>';
     print '</tr>';
-    
-    
+
+
     foreach($listUsers as $users)
     {
         $var=!$var;
-    
+
         print '<tr '.$bc[$var].' style="height: 20px;">';
         print '<td>';
         $userstatic->id=$users['rowid'];
@@ -246,7 +247,7 @@ else
         $userstatic->firstname=$users['firstname'];
         print $userstatic->getNomUrl(1);
         print '</td>';
-    
+
         if (count($typeleaves))
         {
         	foreach($typeleaves as $key => $val)
@@ -261,17 +262,17 @@ else
         }
         else
         {
-            print '<td></td>';   
+            print '<td></td>';
         }
         print '<td style="text-align:center"><input type="text" value="" name="note_holiday['.$users['rowid'].']" size="30"/></td>';
         print '<td><input type="submit" name="update_cp['.$users['rowid'].']" value="'.dol_escape_htmltag($langs->trans("Update")).'" class="button"/></td>'."\n";
         print '</tr>';
-    
+
         $i++;
     }
-    
+
     print '</table>';
-    
+
     print '</form>';
 }
 
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index a92945ce502..c2cdab79d8d 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2011	   Dimitri Mouillard	<dmouillard@teclib.com>
  * Copyright (C) 2013-2015 Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2012	   Regis Houssin		<regis.houssin@capnetworks.com>
+ * Copyright (C) 2012-2016 Regis Houssin		<regis.houssin@capnetworks.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -232,16 +232,16 @@ if ($id > 0)
 	$title = $langs->trans("User");
 	$linkback = '<a href="'.DOL_URL_ROOT.'/user/index.php">'.$langs->trans("BackToList").'</a>';
 	$head = user_prepare_head($fuser);
-	
+
 	dol_fiche_head($head, 'paidholidays', $title, 0, 'user');
 
     dol_banner_tab($fuser,'id',$linkback,$user->rights->user->user->lire || $user->admin);
-    
-    
+
+
     print '<div class="underbanner clearboth"></div>';
-    
+
     print '<br>';
-    
+
 }
 else
 {
@@ -283,7 +283,7 @@ if ($sall)
     foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val);
     print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall);
 }
-    
+
 print '<table class="noborder" width="100%;">';
 print "<tr class=\"liste_titre\">";
 print_liste_field_titre($langs->trans("Ref"),$_SERVER["PHP_SELF"],"cp.rowid","",'','',$sortfield,$sortorder);
diff --git a/htdocs/install/mysql/migration/3.8.0-3.9.0.sql b/htdocs/install/mysql/migration/3.8.0-3.9.0.sql
index b6be65f725c..16cbb13a57d 100755
--- a/htdocs/install/mysql/migration/3.8.0-3.9.0.sql
+++ b/htdocs/install/mysql/migration/3.8.0-3.9.0.sql
@@ -593,6 +593,7 @@ ALTER TABLE llx_accounting_bookkeeping MODIFY COLUMN doc_ref varchar(300) NOT NU
 
 ALTER TABLE llx_holiday ADD COLUMN tms timestamp;
 ALTER TABLE llx_holiday ADD COLUMN entity integer DEFAULT 1 NOT NULL;
+ALTER TABLE llx_holiday ADD INDEX idx_holiday_entity (entity);
 
 -- Fix Argentina provences
 INSERT INTO llx_c_departements ( code_departement, fk_region, cheflieu, tncc, ncc, nom, active) VALUES ('2326', 2305, '', 0, 'MISIONES', 'Misiones', 1);
diff --git a/htdocs/install/mysql/tables/llx_holiday.key.sql b/htdocs/install/mysql/tables/llx_holiday.key.sql
index 8c66d2d80d4..9a1a6ae49e3 100644
--- a/htdocs/install/mysql/tables/llx_holiday.key.sql
+++ b/htdocs/install/mysql/tables/llx_holiday.key.sql
@@ -1,5 +1,6 @@
 -- ===================================================================
--- Copyright (C) 2012      Laurent Destailleur  <eldy@users.sourceforge.net>
+-- Copyright (C) 2012	Laurent Destailleur	<eldy@users.sourceforge.net>
+-- Copyright (C) 2016	Regis Houssin		<regis.houssin@capnetworks.com>
 --
 -- This program is free software; you can redistribute it and/or modify
 -- it under the terms of the GNU General Public License as published by
@@ -16,6 +17,7 @@
 --
 -- ===================================================================
 
+ALTER TABLE llx_holiday ADD INDEX idx_holiday_entity (entity);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_fk_user (fk_user);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_fk_user_create (fk_user_create);
 ALTER TABLE llx_holiday ADD INDEX idx_holiday_date_create (date_create);